While the cost of noncompliance is reason enough to motivate enterprises to be more vigilant in their business practices, enterprises can in fact capitalize on the regulations they face. Companies should view compliance as a way to improve their internal business processes across the organization. To do this, companies must take a holistic approach from top down, and harness the strategic software category of governance, risk management, and compliance (GRC). However, this may be easier said than done. So why might a holistic approach to GRC be difficult to achieve?
As discussed in SAP Solutions for Governance, Risk, and Compliance, much of the value creation and innovation within companies takes place as a consequence of the intricate relationships between people, processes, and systems—all of which are, as a rule, patchy across different organizations, functions, and geographies. This fragmentation can hold any enterprise back in a number of ways:
* Organizational fragmentation caused by disconnected, department-driven GRC activities customarily results in inconsistent policies, difficulty in predicting risk, a lack of enterprise transparency, and duplication of effort. As enterprises increase collaboration with trading partners, the consequences of having no central body coordinating GRC activities enterprise-wide intensify because most legislation holds them accountable for good governance and compliance within their own organization, as well as across the extended enterprise (supply chain).
* Most businesses lack GRC information integrity because their departments use different metrics, standards, software, and methodologies for analyzing risk and compliance information. This system fragmentation makes it difficult to aggregate data; gain a complete view of enterprise-wide risks; effectively monitor these risks and compliance; and adjust business processes to meet changing requirements, market trends, and regulatory mandates.
* Policies and risks are generally defined and measured at the local geographic level, without proper consideration for their impact on the global, multinational, national, or regional mandates with which an organization must also comply. Decision makers are often unaware of the interdependencies between mandates and the risks of noncompliance in specific regions and markets, whereby one region's risk might be another one's opportunity.
* Internal GRC discipline fragmentation is also an issue, since at the corporate level, as well as the departmental or regional levels, there is general uncertainty around the meaning and scope of the disciplines of GRC. Most important, the management team may not recognize that these disciplines are inextricably linked and interdependent, and as a result, must function interdependently instead of as part of an integrated strategy.
To be successful, companies have to align their corporate strategies with more effective oversight and institutionalized policy setting, risk management, and business process control. The only way to accomplish this goal is through an overall approach to GRC that unifies the above fragmented areas. Only then can a company hope to capture new information about emerging threats and opportunities, and exploit them for competitive advantage.
According to AMR Research, approximately two-thirds of compliance cost is attributable to people. This is because fragmented GRC efforts tend to result in "people-powered GRC" (or inefficient, manual processes that are duplicated across departments). Of even greater significance might be the lost opportunities that result from a tactical, fragmented approach to managing GRC. Without a comprehensive and cohesive GRC strategy, companies are deprived of a means to effectively navigate today's highly regulated (and ever-changing) business environments, as well as of a critical driver of revenue and competitive advantage.
Therefore, a multiplicity of government regulations, growing pressure from financial markets, and increasing demands from stakeholders have renewed the focus on GRC. Some forward-thinking organizations no longer see GRC as discrete, project-based activities managed as separate functions. Rather, they are adopting an overarching GRC strategy that guides people, standardizes processes, and unifies technology to embed GRC at every organizational level. That is to say, in the face of shifting industry conditions, compliance mandates, and governance requirements, companies need to take a broader, more structured approach to managing GRC to proactively identify and forecast inefficiencies and errors, adopt a risk-based approach toward embedding controls in business processes, and continuously monitor operations to optimize and guide future policy (see SAP Solutions for Governance, Risk, and Compliance).
To manage information technology (IT) and business risks at all levels of the organization, GRC's integrated solutions must be capable of monitoring business processes and IT controls automatically. Not only should an integrated approach offer top executives an actionable dashboard showing a more complete and more accurate risk profile of the company, but it should also detect high-risk events, and prioritize risk responses and corrective or, even better, preventive action.
This is the final part of a series on how various industries address compliance issues. For more information, please see previous parts of this series: Thou Shalt Comply (and More, or Else): Looking at Sarbanes-Oxley , Important Sarbanes-Oxley Act Mandates and What They Mean for Supply Chain Management , Sarbanes-Oxley Act May Be Just the Tip of a Compliance Iceberg , Automotive Industry and Food, Safety, and Drug Regulations , "Evergreen"—Environmental Regulations for High-tech and Electronics, Chemical, and Oil and Gas Industries , and Global Trade and the Role of Governance, Risk Management, and Compliance Software.
GRC Defined, Starting with the Central Repository
Delving deeper into the individual GRC components, governance entails the oversight role, with the idea of setting strategic objectives the company wants to pursue, and then managing these. To that end, governance typically relies on a repository to centrally manage all GRC content, guide governance strategies, and improve business performance.
Such a repository should centrally document and store records to streamline and manage GRC content, including control frameworks; corporate policies and procedures; regulations; industry mandates; business process flows; risk libraries; control libraries; test plans; evidence for compliance; etc). In other words, the central repository should enable consistent, effective, and efficient coverage of regulatory content (that is, frameworks, laws, internal company policies, etc.) by providing visibility into related requirements. Companies can then cross-reference their organizational policies and procedures with regulatory requirements to ensure compliance.
The key to a central repository is in centralizing and managing GRC content from multiple sources, and in its ability to model business processes and document associated objectives, risks, and control activities. Also important is the library of configurable business rules, business process controls, and IT controls to ensure proper segregation-of-duties (SOD), business process controls, and environmental and global trade compliance.
By harnessing a well-populated GRC repository, companies should benefit from enterprise-wide visibility into all GRC activities. This visibility should allow companies to analyze risk, make more informed decisions, and take a risk-based approach to satisfying multiple company initiatives and regulatory mandates.
In addition, users should be able to link these risks and controls to multiple security and control frameworks, such as the Committee of Sponsoring Organizations (COSO), the IT Infrastructure Library (ITIL), or the Control Objectives for Information and Related Technologies (COBIT), and to US mandates like the Sarbanes-Oxley Act (SOX) and the Food and Drug Administration (FDA) regulations. The repository often also enables adherence to official product classification schemas such as the US Harmonized Tariff Schedule (HTS) and the Export Control Classification Number (ECCN), which is issued by the Bureau of Industry and Security (BIS) for shipments that require an export license.
To illustrate the transformative power of a central GRC repository, consider all the necessary SOD needs defined within all pertinent compliance solutions. These SODs would then include access and authorization control applications that are integrated with the GRC repository application. This way, all of an organization's policies, initiatives, and regulations that require proper SODs (or, alternatively, that need appropriate definition and assignment of compensating controls) would be automatically documented within the GRC repository, complete with links to the appropriate access controls for automated monitoring. By doing so, the enterprises should be able to take advantage of opportunities that they might not have noticed before to improve efficiency and transparency, optimize risk-and-return portfolios, and increase business predictability by rationalizing controls and risk responses across the enterprise.
… Which (Ideally) Manages All Conceivable Risks
Risk management applications provide frameworks for identification of risk; analysis of potential impacts and appropriate responses; and the monitoring of mitigating actions and reporting—all in a structured manner. When implemented holistically, more effective risk management practices should be able to improve decision making and create significant value throughout the enterprise.
But too often, actual risk management practices are reactive, theoretical tasks performed in departmental silos, and these practices overlook critical interactions between risks. At the same time, because risk management is often regarded as a theoretical exercise with no practical methodology, organizations are not equipped to recognize critical risks; to analyze risk-reward trade-offs; and to respond appropriately based on quantitative cost and benefit analysis metrics. The idea is thus to deploy appropriate risk management applications, and implement proactive, collaborative processes throughout the entire enterprise. Such applications will enable companies to balance new business opportunities with financial, legal, and operational risks.
A full-fledged risk management application suite should provide a best-practice framework for enterprise risk identification, collaborative risk analysis, risk-response management, and continuous risk monitoring and reporting. Such an application suite should help users to effectively anticipate and respond to changing business conditions. The applications should also ideally include executive-level, personalized dashboards, scorecards, and reports that provide users with visibility into key risk metrics and policy compliance.
The aim is for users to be able to monitor the overall risk portfolio, including cohesive, global profiles of operational and entity-level risks ("heat maps"), and then to analyze risk in terms of severity and impact on a monetary and qualitative basis. Furthermore, users should be able to balance the costs of risk avoidance against new business opportunities. They should also be able to alert management when high-impact and high-probability risks exceed company-specific thresholds, and to prioritize corrective action using role-based dashboards and alerts.
SOURCE:
http://www.technologyevaluation.com/research/articles/the-challenges-of-defining-and-managing-governance-risk-management-and-compliance-18919/
