Governance, Risk and Compliance

Platform Considerations
Executive Summary
Integration of multiple governance, risk and compliance (GRC) disciplines on a single platform is increasing,
yet barriers to successful integration of the technology across numerous groups remain. Many organizations
continue to use multiple GRC technologies to fulfill different departmental needs, and different platforms
are used for IT GRC and enterprise GRC (eGRC). Within the eGRC space, integration is most often
encountered among internal audit, financial controls and enterprise risk assurance. Compliance-oriented
functions have been less inclined to integrate on a single platform this is due in part to the specific subject-
matter expertise required of the different compliance functions, thus making the broader risk and control sets
documented by other groups less relevant to compliance teams. Yet, The Institute of Internal Auditors (The IIA)
position paper, The Three Lines of Defense In Effective Risk Management and Control (January 2013), provides
good insight into why it makes sense to bring these functions together, at least on an aggregated level, even
if subsets of information are contained in other source systems: It will enable the three lines (operational/
business line managers, risk and compliance functions, and internal audit) to coordinate activities, map
assurance functions and perform independent validation.
Organizations will find value in integrating the above disciplines on a single platform but they must first find
ways to overcome common barriers associated with the integration process, including:
Lack of sponsorship and leadership to drive integration across multiple groups
Lack of collaboration across groups
Lack of a unified GRC framework, or a common language
Complexity of existing technologies
Lack of effective change management
Lack of demonstrable return on investment (ROI)
GRC technology will not solve all integration barriers by itself. Certain components must already be in
place policies, processes and infrastructure, which GRC technology can help bring together to unify and meet
enterprise objectives. To help your company in your consideration of GRC technology, this paper outlines:
GRC domains
Key elements of a GRC platform
Software evaluation considerations

PROTIVITI Governance, Risk and Compliance Platform Considerations 1

GRC DOMAINS

GRC solutions are typically grouped into the GRC domains described below. Each domain may have one or more
subgroupings (e.g., the compliance domain has a variety of industry- or regulatory-specific subdomains such as anti-
corruption, financial services regulatory tracking, Bank Secrecy Act (BSA)/PATRIOT Act, Basel, and Solvency II).

Enterprise Risk Management (ERM)

ERM platforms help companies execute their business strategies while managing enterprise and operational risks.
They are designed to support managements articulation of business objectives, key strategies and risk appetite. The
platform should enable a clear linkage of risks to performance objectives and facilitate the communication between
leadership and the lines of business (LOBs) regarding responsibility to execute strategies within clearly defined
tolerances. To support operational risk programs, ERM platforms enable development of detailed risk and control
registers, and support client-tailored assessment exercises as well as tracking of related incidents. They allow for dif-
ferent assessment methodologies across assurance disciplines that can be consolidated and aggregated into a broader
corporate risk profile.
Companies adopting more analytical approaches may also use the platforms to track actual, near-miss and
scenario-based incidents that directly link to related objectives, risks and controls as well as incorporate key
performance indicators (KPIs) and key risk indicators (KRIs) from multiple source systems. Finally, ERM plat-
forms may either directly support, or provide inputs into, other third-party engines to support data modeling
for certain types of quantitative analysis used for certain types of financial risks (e.g., credit, market, liquidity)
and operational risk capital allocation.

ERM platforms include features that help organizations do the following:

Establish a risk model or framework that documents a common risk language across the organization, allowing
risk managers to compare and manage risks across the enterprise
Deploy risk assessments through an integrated workflow and survey engine, helping risk managers to identify
and focus on the right risks at the right time to minimize exposure
Develop response strategies to address identified risks and manage the implementation and execution of the
strategies through completion
Identify KRIs and establish acceptable thresholds that generate alerts to stakeholders and executives when
thresholds are violated, allowing risk managers to take quick action to mitigate risk
Manage incidents and their impact on the business through data collection, reporting, root cause
identification and accountability, inclusive of scenario analysis

Compliance Management
Compliance platforms help companies incorporate compliance with external laws and regulations as well as internal
policies into their enterprise risk profile. Platforms typically combine content and policy management with external
regulatory feeds and internal controls to provide companies with a rationalized framework for managing externally
and internally driven compliance programs efficiently.
These platforms workflow and assessment engines support tailored, scalable methods for communicating and
monitoring adherence to policies across LOBs, products and services. They leverage a relational architecture
allowing program managers to connect front-office activities (e.g., underwriting a loan) with back-office
processes and capabilities (e.g., IT systems that support the process), highlighting areas requiring remediation
and supporting management of compliance-oriented projects.

PROTIVITI Governance, Risk and Compliance Platform Considerations 2

 Compliance platforms include features that help organizations do the following:

Manage policies, including documentation, review, communication and attestation

Integrate policies with other enterprise content and records management systems such as Microsoft
SharePoint
Monitor external regulations through feeds from third-party content providers and involve business-line
representatives in the impact assessment via streamlined workflows
Associate regulations and risks to policies and controls in a way that allows organizations to apply rationalized
compliance efforts efficiently to multiple regulatory and risk management activities
Offer eLearning modules to communicate corporate brand and ideals, promote employee education, and
comply with training requirements incorporated into various laws and regulations in a cost-effective manner
Prioritize and manage compliance projects in the context of broader corporate initiatives and resource
allocation, enabling the balancing of profit-driving strategies with regulatory imperatives

Information Technology (IT) Governance

IT governance platforms help companies align IT strategy with the needs of the business by establishing
IT-centric risk and compliance processes that allow for effective management of business risks and external
regulations. They serve as a central repository of the IT environment and allow organizations to prioritize and
manage IT projects while optimizing resource allocation, effectively balancing strategic initiatives with equally
necessary compliance imperatives.
In addition, IT platforms facilitate the drawing of clear associations between key elements of the IT infrastructure
and the companys business lines, products, services and processes. They enable policy management and facilitate bi-
directional assessment of the business risks that IT controls mitigate as well as the risks originating in IT that may
adversely impact the business. Incident, KPI and KRI tracking quickly bring to the surface IT exposures originating
from assessment exercises as well as integrated source systems, and include workflow to manage related exceptions.

IT governance platforms include features that help organizations do the following:

Inventory the IT landscape, including assets, processes, services, applications and infrastructure elements
Prioritize and manage IT projects based on the balance of strategic objectives and compliance requirements
Develop, maintain, communicate and monitor adherence to IT policies
Implement standard frameworks, including ITIL, COBIT, ISO27002, PCI, GLBA and HIPAA
Highlight the results of IT risk assessments, incidents and threshold breaches in the context of related
business products, services and processes to draw attention quickly to areas requiring attention
Develop business continuity plans, including checklists, workflow templates, questionnaires, assessments
and planning guidance
Test general computing controls and assess the impact of these controls on key business processes
Remediate issues and risks through action plans and tasks generated through automatic email notifications
and workflows
Integrate their platforms with third-party IT monitoring tools to identify potential IT vulnerabilities that
require remediation

PROTIVITI Governance, Risk and Compliance Platform Considerations 3

Financial Controls
Financial controls platforms have capabilities designed to improve corporate governance and facilitate compliance
with financial reporting regulations in a cost-effective manner. The platform serves as a repository for all internal
control documentation, evaluation, testing and remediation inclusive of financial reporting certifications. Increas-
ingly, financial controls platforms provide continuous controls monitoring capabilities that directly link data analysis
of enterprise resource planning (ERP) transactional data to test or KRI results, allowing monitoring for exceptions
or threshold breaches.

Financial controls platforms include features that help organizations do the following:

Complete a financial risk-based scoping exercise and prioritize key risks and controls that affect compliance
with financial reporting regulations
Create process, risk and control documentation in a central repository, allowing for analysis of entities,
processes and IT systems
Deploy design and operating effectiveness assessments to control owners through an integrated survey
engine to drive accountability and simplify the user experience
Validate controls through independent testing and continuous monitoring, providing assurance about the
control environment
Facilitate disclosure certification of gaps and weaknesses through dashboards and reports that compile
information based on internal analysis and testing of controls
Integrate remediation management into processes through action plans, automatic email notifications to
business owners and reporting to ensure that deficiencies are addressed

Internal Audit (IA)

Internal audit GRC platforms help companies integrate internal audit into their GRC programs to bring a system-
atic, disciplined approach to evaluating and improving the effectiveness of risk management, control and governance
processes.1 The integration of audit capabilities into the broader GRC platform not only facilitates execution of
the annual audit plan, but helps IA professionals to share their insights with other groups and view and leverage the
work of others to ensure appropriate coverage of enterprise risks. IA GRC platforms typically integrate scheduling
and work paper management with the shared GRC register, allowing auditors to leverage the work of other disci-
plines while also providing independent validation of policy and control procedures.
IA platforms are designed to support the end-to-end audit lifecycle management, including enterprise risk assess-
ment, planning, execution, reporting, monitoring and follow-up. They also provide a central repository for all audit
work, making it easy to find and manage. Many GRC platforms include time and expense management, auditor
profile management and offline work paper management.

Internal audit capabilities should be aligned with The IIAs International Professional Practices Framework, as a best industry practice.
1

Companies should take this into consideration when evaluating solutions.

PROTIVITI Governance, Risk and Compliance Platform Considerations 4

 IA capabilities help organizations do the following:

Automate the audit process, from risk assessment through reporting

Identify and assess risks through integrated surveys, simplifying the feedback process and tying risks to key
processes and organizations that feed the audit planning process
Schedule audits and allocate audit resources based on their availability and skills profile, allowing for better
management of time and resources
Track projects, report on resource utilization and manage budgets through time and expense tracking
Manage electronic work papers offline through an audit workbench, including field-level synchronization and
conflict management
Remediate issues identified during the audit process and follow them through to completion to ensure gaps
are addressed
Compile audit information and create final audit reports quickly, reducing the time and effort required to
provide management and the board with key risk information
Follow up on key issues and track their status through insight-providing reporting and dashboards

KEY ELEMENTS OF A GRC PLATFORM

Most GRC vendors provide core GRC components with their platforms that can be configured to fit different
GRC solutions. Based on their brand and points of origination, the solutions vary with regard to the depth
of capabilities and content offered within the core components. For example, vendors that first released their
products during the Sarbanes-Oxley Act (SOX) heyday will tend to have strong, purpose-built functionality
for both financial controls and audit, such as auditor scheduling and offline work papers, whereas vendors
that originated from an IT GRC perspective are more likely to have specific integrations with tools used to
monitor IT systems to ensure business continuity, information protection and detection of IT threats.
Below, we outline the basic functionalities of GRC platforms. Your organizations assessment of these functionalities
will depend on whether you want to enable a single or synergistic set of GRC domains, or drive an integrated,
cross-domain approach. Organizations or individual departments looking to implement GRC technology
for a specific need will evaluate the functionality (and cost) of the solution in the specific context of that
need. Organizations seeking an integrated GRC solution will evaluate the core functional components
based on more broadly applicable technical capabilities, and, accordingly, should expect their costs to be higher.
The core functional components of a GRC platform include:
Data modeling. Data modeling supports the establishment of a consolidated GRC framework and
entity hierarchy within which detailed business records (e.g., objectives, risks, controls, incidents,
indicators, action plans) are managed. This core component is used across all GRC domains. The flexibility
and configurability of the data modeling architecture is essential in integrated GRC deployments.
Content management. The content management component is applicable to individual business
records and supports authoring, rich-text editing, cross-referencing, tagging, workspace/file
collaboration with version control, change history and archiving. This core component is prominently
featured in compliance (policy management) and audit management solution areas.
Project management. Project management capabilities are utilized to manage project scheduling,
activities and work papers related to multiple GRC efforts, most notably audit and case management.
These capabilities are also important for IT project portfolio management and are becoming more useful
for the management of regulatory projects that stem from regulatory change management processes.

PROTIVITI Governance, Risk and Compliance Platform Considerations 5

 Workflow management. Workflow management automates business logic and facilitates enterprise
communication, collaboration, notification, accountability and assurance, and review. It is used across all
GRC contexts. Key workflow capabilities include:
Business rules engine: The system should natively support auto-calculation of basic business rules
based on client-specific criteria (e.g., calculation of total risk score based on impact and likelihood
values). It should also support multirecord calculations and complex business logic that is custom-
developed and maintained across upgrades with no need for additional customization.
Tasking and notification: The system should support role-based, event-driven tasking and
notification that enables collaborative execution of key processes, including review and remediation
activities. It should allow for multidirectional routing, including the ability to route work to multiple
individuals at the same time, as well as send review comments back to individuals with reopening of
previous tasks. It should offer configurable notifications that allow for tailored messaging and direct
access of content from emails.
Distributed communication: The system should provide the option to distribute standard surveys
where responses are maintained via the survey, and integrated assessments that directly update the
underlying GRC register. It should also support site or checklist-driven audit and performance
review activities that allow for mobile assurance professionals to remotely perform evaluations of
their various sites, locations, branches, plants, etc. To drive more specific value and ROI around
specific risks, this engine must support wizard-driven methods of communicating and collecting
information to promote awareness, drive certifications and distribute e-trainings. It should provide
specific features in support of conditional logic and allow for a high degree of complexity in terms of
review and routing. Branded communication is sometimes an option that can support strategy and
policy communication.
Reporting and analysis. GRC platform reporting capabilities should include several types of reporting
formats that provide flexible query analysis and data download capabilities, information summaries,
drill-down dashboard reporting, and heavy-text and editable reporting (e.g., via Microsoft Word).
Platforms vary in the accessibility of the data model and the level of expertise required to create data
views, perform queries based on configured data elements and configure dashboards.
Advanced analytics and modeling. Different platforms provide varying degrees of advanced analysis
or integration with various operational, transactional and analytical tools used to consolidate analysis
within the GRC taxonomy and drive enterprise action planning. Different types of advanced and
external analytics capabilities include:
Regulatory change management: Incorporates external regulatory feeds from multiple content
providers in order to trigger workflows, specifically the sourcing of regulatory updates and related
impact analysis.
Data analysis: Performs data analysis that is either initiated from a proprietary module within
the system or from external systems in the form of tests, indicators and actions. The types of data
analytics performed are generally categorized as continuous controls monitoring (e.g., segregation
of duties, duplicate payments, unmatched invoices); IT monitoring (e.g., vulnerabilities, patch
requirements); and transaction and third-party monitoring/matching (e.g., anti-fraud, vendor
matching against banned entity lists).
Data modeling and integration: Several GRC platforms either provide their own proprietary
modeling tools (e.g., Monte Carlo simulation, Pareto analysis) or provide inputs into other
quantitative engines to support advanced data modeling for quantitative risk analysis for market,
credit or liquidity risk or capital allocation for operational risks in certain regulatory circumstances.

PROTIVITI Governance, Risk and Compliance Platform Considerations 6

The above components are underpinned by a core architecture which should support the following:
Configuration. Configurability is essential to meeting unique customer requirements related to the
data model, data input and visualization, and reporting.
Data integration. GRC platforms tend to integrate with third-party systems via a web-based
application program interface (API) as well as automated common-data-format (.xml, .csv) uploads.
Different vendors integrate with different types of data, based on their origins and experience. For
example, vendors focused on IT governance will tend to integrate with asset management and IT
monitoring tools to bring IT infrastructure directly into the system. Vendors historically focused
on financial controls implementations tend to integrate with ERPs to facilitate continuous controls
monitoring. Companies should give consideration to actual integration examples in order to leverage
existing extensions that may already be in place. While most vendors have an API, it may be important
to find out whether their APIs are published or available for your internal consumption if you plan to
have internal development teams integrate internal systems with the platform over time.
Data security. GRC platform vendors typically offer a role-based security architecture that supports
enterprise, entity, record and field-level security. Most also offer lightweight directory access protocol
(LDAP) integration and single-sign-on capabilities. Potential points of differentiation in an integrated
GRC implementation relate to the level of subadministration offered by the platform, such as the ability
to filter certain record sets based on GRC disciplines or grouped areas in a way that is easily manageable
(i.e., offering a level between enterprise- and entity-level assignments).
Contextualization. In an integrated GRC implementation, the ability to present different navigation
and input screens is of key importance for organizations that want a more intuitive platform that is also
able to aggregate data into contextual themes.
Multiple languages. For some companies, it may be important that the platform support a multilingual
interface or input screens. This feature translates navigation, field labels and drop-down categorizations
and provides reporting of results by reading multiple language inputs (e.g., aggregates the number of
controls rated ineffective in English or ineficaz in Spanish).
Performance. Companies should evaluate architecture performance by establishing performance
standards based on the composition of users across key use cases. It may want to establish one set of
standards for frequent users (e.g., auditors) and a different set of standards for infrequent users (e.g.,
quarterly certifiers), and test against both. Many GRC platforms lack snappiness even when not under
heavy concurrency load. Knowing the size of the vendors largest implementation and comparing it with
the size of yours will help ensure that the platform meets your load requirements.
Offline and mobile support. Organizations are increasingly requesting offline and mobile device
support, particularly for distributed or offsite review processes (e.g., conduct of an audit or branch review).
While this may not be one of your companys critical requirements currently, understanding the vendors
mobile strategy may provide insight into the usability of the system going forward not only for audits,
but for enablement of less frequent user inputs (e.g., response to a certification questionnaire).

PROTIVITI Governance, Risk and Compliance Platform Considerations 7

SOFTWARE EVALUATION CONSIDERATIONS

When evaluating the different solutions, organizations need to consider several factors. One is the time frame
and budget required to implement the system. Another is the configurability of the solution to the companys
needs. Organizations should avoid platforms designed like black boxes, with limited ability to configure
controls or generate the reports needed.
Relationship with the vendor is another important factor to keep in mind. Many vendors are more focused on
providing functional knowledge transfer rather than assisting their GRC customers with establishing a unified
framework that can sustain multidiscipline GRC efforts. Not every solution vendor is interested in actively
learning about and enabling the customers existing methodology. Open communication and access to the
vendors expertise during the evaluation period is key.
During the vendor selection process, it is important to test the marketing message versus the vendors ability to
deliver. Areas of inquiry should include:
Configurability versus customization. Vendors may market a high degree of configurability but
require significant customization in order to do that. This increases initial implementation costs and the
complexity of future upgrades. Clients should ask the vendor to articulate which elements of the vendors
platform require customization, and how the vendor will manage maintenance and upgrades for the client.
Time to value. As a rule of thumb, most customers seek to gain value from at least one or two
modules within six months. Vendors should be able to demonstrate a plan to show value for at least two
stakeholder groups within this period.
Multi-stakeholder integration. The company should ask the vendor to demonstrate a plan that
will provide individual stakeholder groups with their own workspaces devoid of clutter from other
stakeholder groups, while also consolidating information into corporate risk profiles. This plan should
include unique data views and input screens as well as segregation of data among stakeholder groups. It
should be clear during the evaluation process how many modules of the software are required to achieve
integration across stakeholder groups and how much additional modules for further growth will cost.
Specifically, when developing targeted solutions across different GRC disciplines, the vendor should
be able to tell the client whether it will be able to configure core functionality from licensed modules
into new solutions, or whether it would require additional modules or licensing for each new targeted
solution on the vendors development road map.
Reporting. As mentioned previously, vendors should be able to demonstrate how configurations
flow through to ad hoc reporting analysis without requiring significant technical effort on behalf of
the client or intervention by the vendor. A key challenge with complex implementations is that it is
nearly impossible to know all the information a company will want out of a system at the start of the
implementation, so having a mechanism to create your own searches and reports is extremely important.
Implementation team and customer support. Understanding the level of involvement of the
implementation team, the scope of customer support and vendor resources, and the availability of
knowledge forums are key to sustained success. While software vendors are typically not responsible
for developing your methodologies, they should demonstrate a commitment to applying their functions
to your program through analysis of your stated requirements and underlying data. The vendor should
be able to articulate the functional guidance that is included in the baseline support versus additionally
charged professional services. Vendors should also be able to articulate how their support resources are
trained and how the knowledge gained during implementation is transferred to the future support team.
Several vendors are developing interesting models in this regard, where customers are able to share
experiences and knowledge of technical elements with the vendor and each other through virtual web
exchanges. By facilitating this exchange, these vendors are strengthening the position of their enterprise
platforms in the development community.

PROTIVITI Governance, Risk and Compliance Platform Considerations 8

About Protivitis GRC Technology
Protivitis GRC experts have worked with thousands of global clients to deliver targeted GRC software
solutions that address their immediate needs while facilitating convergence toward fully integrated, value-
added GRC practices.
The Protiviti Governance Portal is a comprehensive software platform that integrates content and commonly
accepted and proprietary frameworks with world-class consulting expertise in order to provide organizations
with the visibility and insight needed to manage and mitigate current and future risk and compliance issues.

The Governance Portal integrates process, knowledge and technology to help clients:
Start the GRC program quickly, using out-of-the box content and templates
Execute GRC tasks efficiently using proprietary GRC content that provides industry normative guidance
Create a self-sustainable GRC program by easily configuring the Governance Portal to meet each
organizations GRC program requirements, methodology and terminology
Add value by converging multiple GRC activities
Rely on real-time reporting and dashboards to provide executives with a holistic view of all GRC efforts

Contact
Scott Wisniewski
Managing Director Risk Technologies
+1.312.476.6303
scott.wisniewski@protiviti.com

ABOUT PROTIVITI

Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance,
technology, operations, governance, risk and internal audit, and has served more than 60 percent of Fortune 1000
and 35 percent of Fortune Global 500 companies. Protiviti and our independently owned Member Firms serve
clients through a network of more than 70 locations in over 20 countries. We also work with smaller, growing
companies, including those looking to go public, as well as with government agencies.
Named one of the 2015 Fortune 100 Best Companies to Work For, Protiviti is a wholly owned subsidiary of
Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

PROTIVITI Governance, Risk and Compliance Platform Considerations 9

 THE AMERICAS EUROPE/MIDDLE EAST/AFRICA

UNITED STATES FRANCE ITALY THE NETHERLANDS

Alexandria Kansas City Salt Lake City Paris Milan Amsterdam
Atlanta Los Angeles San Francisco Rome
Baltimore Milwaukee San Jose GERMANY Turin UNITED KINGDOM
Boston Minneapolis Seattle Frankfurt London
Charlotte New York Stamford Munich
Chicago Orlando St. Louis
Cincinnati Philadelphia Tampa BAHRAIN* QATAR*
Cleveland Phoenix Washington, D.C. Manama Doha
Dallas Pittsburgh Winchester
Denver Portland Woodbridge KUWAIT* SAUDI ARABIA*
Fort Lauderdale Richmond Kuwait City Riyadh
Houston Sacramento
OMAN* UNITED ARAB EMIRATES*
Muscat Abu Dhabi
ARGENTINA* CHILE* PERU*
Dubai
Buenos Aires Santiago Lima
SOUTH AFRICA*
BRAZIL* MEXICO* VENEZUELA* Johannesburg
Rio de Janeiro Mexico City Caracas
So Paulo

CANADA
Kitchener-Waterloo
Toronto

ASIA-PACIFIC

AUSTRALIA INDIA*
Brisbane Bangalore
Canberra Hyderabad
Melbourne Kolkata
Sydney Mumbai
New Delhi
CHINA
Beijing JAPAN
Hong Kong Osaka
Shanghai Tokyo
Shenzhen
SINGAPORE
Singapore

* Protiviti Member Firm

2015 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet. PRO-PKIC-0915-214

Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on
financial statements or offer attestation services.