Beruflich Dokumente
Kultur Dokumente
Platform Considerations
Executive Summary
Integration of multiple governance, risk and compliance (GRC) disciplines on a single platform is increasing,
yet barriers to successful integration of the technology across numerous groups remain. Many organizations
continue to use multiple GRC technologies to fulfill different departmental needs, and different platforms
are used for IT GRC and enterprise GRC (eGRC). Within the eGRC space, integration is most often
encountered among internal audit, financial controls and enterprise risk assurance. Compliance-oriented
functions have been less inclined to integrate on a single platform this is due in part to the specific subject-
matter expertise required of the different compliance functions, thus making the broader risk and control sets
documented by other groups less relevant to compliance teams. Yet, The Institute of Internal Auditors (The IIA)
position paper, The Three Lines of Defense In Effective Risk Management and Control (January 2013), provides
good insight into why it makes sense to bring these functions together, at least on an aggregated level, even
if subsets of information are contained in other source systems: It will enable the three lines (operational/
business line managers, risk and compliance functions, and internal audit) to coordinate activities, map
assurance functions and perform independent validation.
Organizations will find value in integrating the above disciplines on a single platform but they must first find
ways to overcome common barriers associated with the integration process, including:
Lack of sponsorship and leadership to drive integration across multiple groups
Lack of collaboration across groups
Lack of a unified GRC framework, or a common language
Complexity of existing technologies
Lack of effective change management
Lack of demonstrable return on investment (ROI)
GRC technology will not solve all integration barriers by itself. Certain components must already be in
place policies, processes and infrastructure, which GRC technology can help bring together to unify and meet
enterprise objectives. To help your company in your consideration of GRC technology, this paper outlines:
GRC domains
Key elements of a GRC platform
Software evaluation considerations
GRC solutions are typically grouped into the GRC domains described below. Each domain may have one or more
subgroupings (e.g., the compliance domain has a variety of industry- or regulatory-specific subdomains such as anti-
corruption, financial services regulatory tracking, Bank Secrecy Act (BSA)/PATRIOT Act, Basel, and Solvency II).
Establish a risk model or framework that documents a common risk language across the organization, allowing
risk managers to compare and manage risks across the enterprise
Deploy risk assessments through an integrated workflow and survey engine, helping risk managers to identify
and focus on the right risks at the right time to minimize exposure
Develop response strategies to address identified risks and manage the implementation and execution of the
strategies through completion
Identify KRIs and establish acceptable thresholds that generate alerts to stakeholders and executives when
thresholds are violated, allowing risk managers to take quick action to mitigate risk
Manage incidents and their impact on the business through data collection, reporting, root cause
identification and accountability, inclusive of scenario analysis
Compliance Management
Compliance platforms help companies incorporate compliance with external laws and regulations as well as internal
policies into their enterprise risk profile. Platforms typically combine content and policy management with external
regulatory feeds and internal controls to provide companies with a rationalized framework for managing externally
and internally driven compliance programs efficiently.
These platforms workflow and assessment engines support tailored, scalable methods for communicating and
monitoring adherence to policies across LOBs, products and services. They leverage a relational architecture
allowing program managers to connect front-office activities (e.g., underwriting a loan) with back-office
processes and capabilities (e.g., IT systems that support the process), highlighting areas requiring remediation
and supporting management of compliance-oriented projects.
Inventory the IT landscape, including assets, processes, services, applications and infrastructure elements
Prioritize and manage IT projects based on the balance of strategic objectives and compliance requirements
Develop, maintain, communicate and monitor adherence to IT policies
Implement standard frameworks, including ITIL, COBIT, ISO27002, PCI, GLBA and HIPAA
Highlight the results of IT risk assessments, incidents and threshold breaches in the context of related
business products, services and processes to draw attention quickly to areas requiring attention
Develop business continuity plans, including checklists, workflow templates, questionnaires, assessments
and planning guidance
Test general computing controls and assess the impact of these controls on key business processes
Remediate issues and risks through action plans and tasks generated through automatic email notifications
and workflows
Integrate their platforms with third-party IT monitoring tools to identify potential IT vulnerabilities that
require remediation
Financial controls platforms include features that help organizations do the following:
Complete a financial risk-based scoping exercise and prioritize key risks and controls that affect compliance
with financial reporting regulations
Create process, risk and control documentation in a central repository, allowing for analysis of entities,
processes and IT systems
Deploy design and operating effectiveness assessments to control owners through an integrated survey
engine to drive accountability and simplify the user experience
Validate controls through independent testing and continuous monitoring, providing assurance about the
control environment
Facilitate disclosure certification of gaps and weaknesses through dashboards and reports that compile
information based on internal analysis and testing of controls
Integrate remediation management into processes through action plans, automatic email notifications to
business owners and reporting to ensure that deficiencies are addressed
Internal audit capabilities should be aligned with The IIAs International Professional Practices Framework, as a best industry practice.
1
Most GRC vendors provide core GRC components with their platforms that can be configured to fit different
GRC solutions. Based on their brand and points of origination, the solutions vary with regard to the depth
of capabilities and content offered within the core components. For example, vendors that first released their
products during the Sarbanes-Oxley Act (SOX) heyday will tend to have strong, purpose-built functionality
for both financial controls and audit, such as auditor scheduling and offline work papers, whereas vendors
that originated from an IT GRC perspective are more likely to have specific integrations with tools used to
monitor IT systems to ensure business continuity, information protection and detection of IT threats.
Below, we outline the basic functionalities of GRC platforms. Your organizations assessment of these functionalities
will depend on whether you want to enable a single or synergistic set of GRC domains, or drive an integrated,
cross-domain approach. Organizations or individual departments looking to implement GRC technology
for a specific need will evaluate the functionality (and cost) of the solution in the specific context of that
need. Organizations seeking an integrated GRC solution will evaluate the core functional components
based on more broadly applicable technical capabilities, and, accordingly, should expect their costs to be higher.
The core functional components of a GRC platform include:
Data modeling. Data modeling supports the establishment of a consolidated GRC framework and
entity hierarchy within which detailed business records (e.g., objectives, risks, controls, incidents,
indicators, action plans) are managed. This core component is used across all GRC domains. The flexibility
and configurability of the data modeling architecture is essential in integrated GRC deployments.
Content management. The content management component is applicable to individual business
records and supports authoring, rich-text editing, cross-referencing, tagging, workspace/file
collaboration with version control, change history and archiving. This core component is prominently
featured in compliance (policy management) and audit management solution areas.
Project management. Project management capabilities are utilized to manage project scheduling,
activities and work papers related to multiple GRC efforts, most notably audit and case management.
These capabilities are also important for IT project portfolio management and are becoming more useful
for the management of regulatory projects that stem from regulatory change management processes.
When evaluating the different solutions, organizations need to consider several factors. One is the time frame
and budget required to implement the system. Another is the configurability of the solution to the companys
needs. Organizations should avoid platforms designed like black boxes, with limited ability to configure
controls or generate the reports needed.
Relationship with the vendor is another important factor to keep in mind. Many vendors are more focused on
providing functional knowledge transfer rather than assisting their GRC customers with establishing a unified
framework that can sustain multidiscipline GRC efforts. Not every solution vendor is interested in actively
learning about and enabling the customers existing methodology. Open communication and access to the
vendors expertise during the evaluation period is key.
During the vendor selection process, it is important to test the marketing message versus the vendors ability to
deliver. Areas of inquiry should include:
Configurability versus customization. Vendors may market a high degree of configurability but
require significant customization in order to do that. This increases initial implementation costs and the
complexity of future upgrades. Clients should ask the vendor to articulate which elements of the vendors
platform require customization, and how the vendor will manage maintenance and upgrades for the client.
Time to value. As a rule of thumb, most customers seek to gain value from at least one or two
modules within six months. Vendors should be able to demonstrate a plan to show value for at least two
stakeholder groups within this period.
Multi-stakeholder integration. The company should ask the vendor to demonstrate a plan that
will provide individual stakeholder groups with their own workspaces devoid of clutter from other
stakeholder groups, while also consolidating information into corporate risk profiles. This plan should
include unique data views and input screens as well as segregation of data among stakeholder groups. It
should be clear during the evaluation process how many modules of the software are required to achieve
integration across stakeholder groups and how much additional modules for further growth will cost.
Specifically, when developing targeted solutions across different GRC disciplines, the vendor should
be able to tell the client whether it will be able to configure core functionality from licensed modules
into new solutions, or whether it would require additional modules or licensing for each new targeted
solution on the vendors development road map.
Reporting. As mentioned previously, vendors should be able to demonstrate how configurations
flow through to ad hoc reporting analysis without requiring significant technical effort on behalf of
the client or intervention by the vendor. A key challenge with complex implementations is that it is
nearly impossible to know all the information a company will want out of a system at the start of the
implementation, so having a mechanism to create your own searches and reports is extremely important.
Implementation team and customer support. Understanding the level of involvement of the
implementation team, the scope of customer support and vendor resources, and the availability of
knowledge forums are key to sustained success. While software vendors are typically not responsible
for developing your methodologies, they should demonstrate a commitment to applying their functions
to your program through analysis of your stated requirements and underlying data. The vendor should
be able to articulate the functional guidance that is included in the baseline support versus additionally
charged professional services. Vendors should also be able to articulate how their support resources are
trained and how the knowledge gained during implementation is transferred to the future support team.
Several vendors are developing interesting models in this regard, where customers are able to share
experiences and knowledge of technical elements with the vendor and each other through virtual web
exchanges. By facilitating this exchange, these vendors are strengthening the position of their enterprise
platforms in the development community.
The Governance Portal integrates process, knowledge and technology to help clients:
Start the GRC program quickly, using out-of-the box content and templates
Execute GRC tasks efficiently using proprietary GRC content that provides industry normative guidance
Create a self-sustainable GRC program by easily configuring the Governance Portal to meet each
organizations GRC program requirements, methodology and terminology
Add value by converging multiple GRC activities
Rely on real-time reporting and dashboards to provide executives with a holistic view of all GRC efforts
Contact
Scott Wisniewski
Managing Director Risk Technologies
+1.312.476.6303
scott.wisniewski@protiviti.com
ABOUT PROTIVITI
Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance,
technology, operations, governance, risk and internal audit, and has served more than 60 percent of Fortune 1000
and 35 percent of Fortune Global 500 companies. Protiviti and our independently owned Member Firms serve
clients through a network of more than 70 locations in over 20 countries. We also work with smaller, growing
companies, including those looking to go public, as well as with government agencies.
Named one of the 2015 Fortune 100 Best Companies to Work For, Protiviti is a wholly owned subsidiary of
Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
CANADA
Kitchener-Waterloo
Toronto
ASIA-PACIFIC
AUSTRALIA INDIA*
Brisbane Bangalore
Canberra Hyderabad
Melbourne Kolkata
Sydney Mumbai
New Delhi
CHINA
Beijing JAPAN
Hong Kong Osaka
Shanghai Tokyo
Shenzhen
SINGAPORE
Singapore