Compliance Decisions Checklist

GRC VENDORS GETTING BETTER

h
1
A Decision Makers Guide to GRC Solutions
Despite the growing number of GRC offerings from vendors large and small, most compliance shops still struggle with finding a functionally balanced solution that matches their specific needs. BY JOHN WEATHINGTON

WATCH OUT FOR THE LAND MINES

FLEXIBILITY IS KING

AIM FOR FUNCTIONAL BALANCE

1 A DECISION MAKERS GUIDE TO GRC SOLUTIONS SEARCHCOMPLIANCE.COM

A Decision Maker's Guide to GRC Solutions

GRC VENDORS GETTING BETTER

WATCH OUT FOR THE LAND MINES

FLEXIBILITY IS KING

since the Sarbanes-Oxley Act changed the governance, risk and compliance (GRC) landscape, but companies continue to grapple with putting together clean solutions that address their needs. This difficulty can be seen in the basic decision to build vs. buy a GRC solution. Most companies end up buying because executives dont want to suck away resources from projects considered to be more strategically important to the operation. The implication is that GRC projects are not strategic. Personally, I think that belief is misguided. For purposes of full disclosure, however, I have given a considerable amount of help to companies that decided to buy and build in equal measure.
TS BEEN ALMOST 10 YEARS

AIM FOR FUNCTIONAL BALANCE

GRC VENDORS GETTING BETTER

What I am particularly encouraged by today is that top-tier GRC vendors are taking an active interest in designing these products correctly. But I have also seen the armada of smaller niche players delivering some very functional solutions as well, which wasnt always the case. The amalgamation of governance, risk and compliance into one functional solution has traditionally been challenging. Each of these products began life as single point solution that was sometimes bundled sensibly but sometimes recklessly combined with

others. In each case, the products were marketed as comprehensive solutions. Although we dont see as much of that today, there are some products in the marketplace that still havent matured past this phase. Its critical, then, to take the time to know the history and evolution of the GRC products youre evaluating so you dont end up purchasing a tool with functional gaps. At the very least, consult with an expert you trust who knows the origins of the GRC solution on which your heart is set. You should avoid any solution that began as a loose collection of point solutions and

2 A DECISION MAKERS GUIDE TO GRC SOLUTIONS SEARCHCOMPLIANCE.COM

A Decision Maker's Guide to GRC Solutions

that did not undergo major surgery to properly conjoin its disparate pieces.

WATCH OUT FOR THE LAND MINES

GRC VENDORS GETTING BETTER

With that behind us, lets look at some of the land mines I see organizations regularly stepping on with regard to GRC products, the first being the integration of the primary modules. It may help to briefly explain the function of each primary module and what it does, starting with the bottom of the hierarchy:
I

risk meets governance are where you need to focus. Where compliance meets risk, your solution needs to coalesce with all of your compliance points. This gives you an easier way to determine your

WATCH OUT FOR THE LAND MINES

Compliance is about accomplishing your stated intent. A compliant state is one in which all conditions are satisfied, and compliance is the process of achieving that state. Risk is about characterizing and mitigating the unknown. In other words, you must understand what might happen and then take proactive measures to avoid incidents that could create a negative impact. Governance is all about the process of defining your policies and ensuring alignment with the proper stakeholders, including the corporate strategy.

Your risk portfolio is not complete with a simple compliance scan. Your GRC solution will need to flesh this out.

FLEXIBILITY IS KING I

AIM FOR FUNCTIONAL BALANCE

This is the hierarchy, with compliance at the base, risk in the middle and governance at the top. You can take a top-down or a bottom-up approach to integration, but the points at which compliance meets risk and

real risks. Your compliance efforts will give you clues as to where your areas of risk reside. Your risk portfolio, however, is not complete with just a simple compliance scan. Your solution will need to flesh this out to finish the job. For instance, you may have a compliance issue involving the Payment Card Industry Data Security Standard that mandates you have a firewall present to protect the data of cardholders. It is a good idea to build efficacy around this, because if your network gets compromised by unethical parties, your cardholder data gets exposed. Once you understand this, you can uncover other compliance issues that will mitigate this risk. Where risk meets governance, your solution needs to inform your policy (Continued on page 5)

3 A DECISION MAKERS GUIDE TO GRC SOLUTIONS SEARCHCOMPLIANCE.COM

A Decision Maker's Guide to GRC Solutions

GRC Vendors
Click on the company name below for more information.
VENDOR PHONE ADDRESS

Aline Approva Corp. Axentis Inc. BWise Inc. CA Inc. Cura Software Solutions Co. DoubleCheck LLC Guardium Inc. Interfacing Technologies Corp. McAfee Inc. MEGA International Methodware MetricStream Inc. OpenPages Inc. Oracle Corp. Proofpoint Inc. Protiviti Inc. Qumas Inc. RSA Archer SAI Global SAP AG Security Weaver LLC Software AG SymSoft Corp. Thomson Reuters Corp. Trintech Inc. Unify Corp.

(484) 688-8300 (703) 956-8300 (216) 896-8400 (212) 584-2260 (866) 851-5273 (781) 325-7158 (770) 565-8616 (781) 487-9400 (514) 737-7333 (972) 963-8000 (781) 784-7684 (484) 924-9911 (650) 620-2900 (781) 647-3800 (650) 506-7000 (408) 517-4710 (617) 330-4800 (973) 805-8600 (913) 851-9137 (201) 986-1131 (800) 872-1727 (800) 620-4210 (703) 860-5050 (414) 292-3113 (888) 288-0283 (972) 701-9802 (916) 218-4700

1000 N. West St., Suite 1210, Wilmington, Del. 13454 Sunrise Valley Drive, Suite 500, Herndon, Va. 1660 West Second St., Cleveland, Ohio 1450 Broadway, 38th Floor, New York, N.Y. One CA Plaza, Islandia, N.Y. 34 Crosby Drive, Suite 101, Bedford, Mass. 101 Gibraltar Drive, Suite 1E, Morris Plains, N.J. 230 Third Ave., Waltham, Mass. 425, de Maisonneuve West, Suite 1100, Montreal, Quebec 2821 Mission College Blvd., Santa Clara, Calif. 175 Paramount Drive, Suite 303, Raynham, Mass. 1735 Market St., Suite 479, Philadelphia, Pa. 2600 E. Bayshore Road, Palo Alto, Calif. 201 Jones Road, Waltham, Mass. 500 Oracle Parkway, Redwood Shores, Calif. 892 Ross Drive, Sunnyvale, Calif. 101 Arch St., Suite 1820, Boston, Mass. 66 York St., Jersey City, N.J. 13200 Metcalf Ave., Suite 300, Overland Park, Kan. 610 Winters Ave., Paramus, N.J. 3475 Deer Creek Road, Palo Alto, Calif. 401 West A St., Suite 2200, San Diego, Calif. 11700 Plaza America Drive, Suite 700, Reston, Va. 1201 North Prospect Ave., Milwaukee, Wis. 17400 Medina Road, Suite 850, Minneapolis, Minn. 15851 Dallas Parkway, Suite 900, Addison, Texas 1420 Rocky Ridge Drive, Suite 380, Roseville, Calif.

4 A DECISION MAKERS GUIDE TO GRC SOLUTIONS SEARCHCOMPLIANCE.COM

A Decision Maker's Guide to GRC Solutions

GRC VENDORS GETTING BETTER

WATCH OUT FOR THE LAND MINES

FLEXIBILITY IS KING

(Continued from page 3) creation. For starters, do not choose a solution that doesnt allow you to do quantitative risk analysis. The quantitative nature of such analysis lends itself well to business intelligence and analytics, which represent the integration point between your GRC and business intelligence solutions. This wealth of intelligence should be integrated with your governance function. For instance, it should highlight possible holes in your policy based on whats currently in your risk database. On the flip side, your policy creation should drive your risk portfolio. As each policy point is built, ask, What could interfere with making this policy point happen? Then log this answer in your risk database as well as your drive mitigation.

firms with a multinational footprint, is to take a global approach to compliance. These firms are typically trying to meld national regulations with international standards into one holistic solution for economies of scale. Its not only prudent to do this, but it

When it comes to buying any GRC solution, the range of choices stretches from turnkey to fully customizable. My preference is to lean toward customizable.

AIM FOR FUNCTIONAL BALANCE

FLEXIBILITY IS KING

My second evaluation point is flexibility. When it comes to buying any GRC solution, the range of choices stretches from turnkey to fully customizable. My preference is to lean toward customizable. In my experience, turnkey solutions will not work. There are too many dynamics in the compliance space right now, and if your turnkey solution supports your needs today, I can pretty much guarantee that it wont support them tomorrow. As one example, early last decade, U.S. companies were primarily concerned with regulations like Sarbanes-Oxley, but the trend now, especially among

also represents a natural progression of the compliance function. After realizing this concern, Ive seen many companies forced to revisit their GRC solutions because their existing solutions werent flexible enough.

AIM FOR FUNCTIONAL BALANCE

My last evaluation point has to do with achieving a good functional balance among the three primary modules. What you see all too frequently today is a rich feature set in one module, such as risk, combined with only basic functions available in the compliance and governance modules. This is due, in part, to the evolution of the solution: A product initially focused on

5 A DECISION MAKERS GUIDE TO GRC SOLUTIONS SEARCHCOMPLIANCE.COM

A Decision Maker's Guide to GRC Solutions

risk that adds governance and compliance as an afterthought simply wont be as complete as one that balances all three functions as a unified solution from the start. Although I dont normally advise it, there are times when it is OK to buy a

GRC VENDORS GETTING BETTER

Choosing a GRC solution should not be taken lightly.

A Decision Makers Guide to GRC Solutions is produced by CIO/IT Strategy Media, 2011 by TechTarget.

Jacqueline Biscobing Managing Editor

WATCH OUT FOR THE LAND MINES

FLEXIBILITY IS KING

AIM FOR FUNCTIONAL BALANCE

complete solution even if you arent going to use all of the functions right away. Besides, you never know when your organization might need those functions that you now consider marginal. Choosing a GRC solution should not be taken lightly. Every time your solution doesnt meet the necessary requirements, it leaves your company exposed. My suggestion is that you pick a solution thats integrated, flexible and balanced, and then match it up with your specific requirements. You will most assuredly reduce the risk of making an expensive and potentially dangerous purchasing mistake. I

Rachel Lebeaux Assistant Managing Editor

Linda Koury Director of Online Design

Ed Scannell Executive Editor

Ben Cole Associate Editor

John Weathington Contributing Writer

Scot Petersen Editorial Director

FOR SALES INQUIRIES

ABOUT THE AUTHOR:

John Weathington is president and CEO of Excellent Management Systems Inc., a San Francisco-based management consultancy. His clients include Fortune 100 firms such as Sun Microsystems Inc., Cisco Systems Inc. and eBay Inc.

Theron Shreve Senior Product Manager tshreve@techtarget.com (617) 431-9360

6 A DECISION MAKERS GUIDE TO GRC SOLUTIONS SEARCHCOMPLIANCE.COM

RESOURCES FROM OUR SPONSOR

Risk & Compliance Risk & Compliance Outlook 2011 McAfee Has Acquired Sentrigo: Comprehensive Security Solutions to Discover, Protect, and Monitor Database Environments