The Enterprise Governance, Risk and Compliance Platform Defined
Many enterprises are consolidating their governance, risk and compliance (GRC) activities and are taking a team approach to compliance and risk management. GRC management vendors that offered solutions focused on Sarbanes-Oxley compliance or operational risk management now offer platform-based enterprise GRC management solutions. These support multiple types of compliance, operational risk management, audit management and policy management, as well as the ability to integrate with the general ledger and other business applications, and to collect and aggregate automated controls information.

Key Findings

  • Enterprises are evaluating the effectiveness of GRC management solutions for multiple GRC activities.
  • An enterprise GRC platform supports audit management, compliance management, risk management and policy management, key supporting functionality, integration with business applications and controls, and GRC information management.
  • Use an enterprise GRC platform to help reduce the complexity of managing compliance and risk management in a multiregulatory environment. It offers a common platform for integrating and managing a variety of compliance and risk management programs, which is critical for reducing redundancy in policies, controls and reporting requirements associated with overlapping regulatory and other mandated requirements.
  • Adopt an enterprise GRC platform for access to a common workplace for a cross-enterprise team approach to compliance and risk management.
  • Evaluate ease of integration, a critical differentiator when working with the general ledger and other business applications, business intelligence, enterprise content management (ECM), and control automation and monitoring.
STRATEGIC PLANNING ASSUMPTION(S) By 2010, compliance and risk management point solutions that cannot integrate with enterprise GRC platforms will be displaced.

1.0 Introduction
Enterprise GRC offers a common platform for integrating and managing a variety of compliance and risk management programs.

Many enterprises typically consider a GRC management application to satisfy a specific requirement, such as Sarbanes-Oxley compliance, an industry-specific regulation or operational risk management for a business process. However, enterprises often have other GRC activities, such as audit management, additional regulations, IT governance, remediation management and policy management, which they eventually may integrate into a more consolidated enterprise GRC approach. Most enterprises are also looking for solutions that support their strategies for more controls automation. Although they may have a specific requirement in mind, many enterprises are concerned that point solutions will impede their holistic visions.

An enterprise GRC platform must solve an immediate need and also enable the enterprise to pursue future consolidation and integration of GRC activities. The platform should provide the integration foundations of an overall enterprise GRC architecture by integrating effectively with business applications, and controls automation and monitoring solutions. Although it will not contain all the GRC architecture elements in one box, the platform should provide functionality for the primary GRC activities: audit management, compliance management, risk management and policy management, key supporting functionality, integration with business applications and controls, and GRC information management (see Figure 1).

Figure 1. Enterprise GRC Platform Source: Gartner (February 2008)

No vendor provides all the capabilities for an enterprisewide approach to GRC activities. Due to the diversity of controls activities and the complexity of the controls architecture, Gartner does not foresee a fully integrated out-of-the-box GRC solution emerging. Controls are more likely to become embedded in business applications and networks, rather than in the GRC solution. The enterprise GRC solution should coalesce, analyze and assess information from those applications, networks and other sources.

Although controls activities will be distributed, the monitoring, testing and reporting will need to be brought together in a single source of record, and will have to support a number of risk management and compliance professionals, auditors, executives and other parties. Due to this demand for better collaboration and information sharing among audit, risk management and compliance professionals, and better reporting to executives, the board, regulators and other external parties, some GRC vendors are providing the primary enterprise GRC management functions from a common platform.

An enterprise GRC platform needs to provide:

  1. Primary enterprise GRC management functions
  2. Supporting functions
  3. Integration
  4. Information management
Vendors that offer all the primary functions often do not provide effective integration, and those with good integration capabilities often do not support all the primary functions.

2.0 Primary Enterprise GRC Management Functions The primary purpose of the enterprise GRC platform is to automate much of the work associated with the documentation and reporting of the risk management and compliance activities that are most closely associated with corporate governance. The primary end users include internal auditors and the audit committee, risk and compliance managers, and accountable executives. The key functions of importance to these groups are:

  • Audit management – Supports internal auditors in managing work papers, and scheduling audit-related tasks, time management and reporting.
  • Policy management – A specialized form of document management that enables the policy life cycle from creation to review, change and archiving of policies.
  • Compliance management – Supports compliance professionals with the documentation, workflow, reporting and visualization of control objectives, controls and associated risks, surveys and self-assessments, testing and remediation. At a minimum, enterprise GRC management not only will include financial reporting compliance (aka Sarbanes-Oxley compliance), but also can support other types of compliance, such as ISO 9000, PCI (aka payment card industry), industry-specific regulations, service-level agreements, trading partner requirements and compliance with internal policies.
  • Risk management – Supports risk management professionals with the documentation, workflow, assessment and analysis, reporting, visualization and remediation of risks. This component focuses on operational risk management but may collect credit and market risk information from other risk management tools to provide a consolidated view of enterprise risk management. There will be specific industry-focused risk management requirements. For example, for banking, it can include highly specialized capabilities for Basel II compliance.
3.0 Enterprise GRC Management Supporting Functions The most important supporting function of the platform is reporting, including visualization. Internal auditors and other GRC professionals must be able to generate periodic reports and ad hoc reports supported by analytics. To generate the appropriate views and reports, effective policy mapping is needed. The board, the audit committee and external auditors should be able to access reports. Because most controls monitoring requires some human involvement, a survey self-assessment capability is required to query process/control owners. Remediation management is important to manage corrective actions.

An optional supporting function is board communications, a process that supports the board’s GRC activities and its other operating collaboration and information sharing needs. Process owners who are responsible for many of the control activities will need access to review the status of their controls, testing, remediation and reporting on controls status, tests and corrective actions. Key activities that align with the enterprise GRC platform are:

  • Reporting – The ability to roll up compliance and risk data in formats that are acceptable to auditors, examiners and assessors, risk and compliance managers, process owners, executives and the board. Pre-defined reports and ad hoc reporting capabilities, combined with analytics and trending, are important.
  • Visualization – This subset of reporting includes the ability to publish formal, Web-based reports (dashboards) with intuitive displays of information, including dials, gauges and traffic lights. These displays indicate the state of the risk and compliance metrics, compared with a goal or target value.
  • Policy mapping – Maps rules and other source requirements to policies, and maps policies to risks, control statements or objectives in the risk/controls matrix and controls. It is a component of an advanced policy management solution that links a policy to the controls architecture. It also may be a component of compliance, audit and risk management solutions, linking content within those solutions to policies that may be retained in a policy management or document management repository.
  • Risk/controls matrix – A tabular repository of control objectives, control descriptions and related risks. It may be based on publicly available frameworks, such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and Control Objectives for Information and Related Technology (CobiT), on the enterprise’s proprietary framework, or a combination of both.
  • Analytics – A number of analytic tools can be included – for example, simple risk comparison based on likelihood and impact, Monte Carlo simulation, scenario analysis, trending, co-variance calculation, and audit data extraction and analysis. Common to all these tools is that they support human analysis of data. If the analyses of controls are done frequently and are the same each time, then they can be converted into business rules and will become part of the controls architecture.
  • Survey self-assessment – A tool for the development of questionnaires requesting information on the status of risks or manual process controls. The questionnaire goes to the process, risk or control owner. The individual answers the questions, runs a test if required, and attaches the requested evidence. Results are presented to management, risk or compliance managers, and/or auditors. Results that indicate that risks are out of tolerance, at risk of going out of tolerance or are control failures should trigger remediation actions.
  • Remediation management – A light project management function that enables assignment of accountability for a deficiency, test failure or incident corrective action, naming a team to correct it, developing a plan and status tracking, and reporting the steps taken and final corrective action. It will track the life cycle of identified gaps and authorized exceptions. It should include the ability to age and track the expiration of exceptions. Reporting should support auditor requirements for historical data on the closure of gaps and reauthorization or closure of exceptions. This capability is often an element of audit, compliance or risk management, but also may be provided through integration with functions from a stand-alone help desk solution or other incident, case management or remediation tracking solution.
  • Certification – A means to certify that personnel are aware of policies, have read the policies that apply to them and received requisite training, and acknowledge their accountability and responsibility with respect to policies and controls.
  • Development – A set of programmatic development tools coupled with a software developer’s kit for creating enterprise GRC applications. The enterprise GRC platform should also enable developers to build enterprise GRC applications without coding by using wizard-like components for a graphical assembly process. The development environment should also support Web services in performing common tasks, such as scheduling, delivering, administering and managing those tasks.
4.0 Integration Functions Many of the platform’s primary and supporting functions can be implemented without integration; however, the more that GRC activities are automated and the more they are used to support and improve performance, then the greater the benefits from integration. Basic integration includes the tools and applications supported directly on the platform; they should have the same look and feel. As enterprises automate their controls, they may also want to run tests and report controls status automatically, thus requiring integration with the controls architecture.

Business application integration may occur for two reasons: first, using business rules and analytics to automate process controls; and, second, to integrate reporting for corporate performance management (CPM). The latter choice presents a number of issues that at this stage of development of enterprise GRC platforms are unanswerable: Does the enterprise choose to use a common reporting platform or does it add enterprise GRC as one more of many reporting platforms? The same questions apply for integration of content management: Should the enterprise GRC platform integrate with an ECM application? These are questions that rest with the overall development of an enterprise architecture. The enterprises GRC platform should be able to support either option: integrate with other enterprise platforms for reporting and content management, or use the enterprise GRC reporting and content management capabilities. Key functions are:

  • GRC infrastructure – A structure to ensure commonality. All tools in the platform should use the same security, content repository, metadata, administration, portal integration, object model and query engine. They should share the same look and feel.
  • Controls architecture integration – The ability to collect monitoring and testing information from technical controls (for example, general computer controls information), automated process controls (for example, segregation of duties for ERP) and system controls (for example, data loss prevention). For automated collection of controls information from tools that run continuously, the data may need to be aggregated and presented in many different ways; thus, business rule engines, analytics and modeling tools will be important components of the integration architecture. The survey self-assessment tool provides for the controls architecture integration for manual process controls. Where an automated integration interface does not exist, the survey tool can be used to collect system, technical and automated process control information from the control owners.
  • Business application integration – For financial compliance management and integration with the general ledger. Other types of compliance and risk management will require other integration points. For instance, supply chain risk and environmental, health and safety compliance would integrate with supply chain management applications. Compliance and risk management applications may also integrate with CPM applications to improve forecasting. Integration with ECM may be important for organizations that have established their ECM solution as the repository of record for all enterprise records. Many types of GRC integrations with business applications are imaginable, and business process management (BPM) technologies would be used to integrate GRC with financial and other business processes. Integration could be as simple as downloading data from the business application, or it could involve complex workflows enabled through BPM, analytics, and models with multiple business-rule-engine-driven interactions of GRC and business applications.
5.0 Information Management Functions One reason to undertake enterprise GRC is to reduce redundancies in controls, testing and reporting. Thus, sharing information between applications and groups of end users through effective content management and common metadata is a critical capability. Supporting the human dimension of information sharing is important, as well as making workflow and collaboration a requirement. The areas to evaluate are:
  • Content management – Full ECM functionality is not required. Key content management functionality needed for GRC includes core document library services (check-in/check-out, version control and document-level security), document routing, document-centric collaboration (document sharing, project team support and support for ad hoc, threaded discussions related to documents). Some enterprises will want to integrate their record-retention programs with compliance management, and therefore will want additional records management functionality. Although basic GRC content services are included natively in the solution, advanced functionality often is delivered through integration with an ECM vendor.
  • Metadata management – All tools and applications should leverage the same metadata. The solution should provide a robust way to search, capture, store, reuse and publish metadata objects – such as dimensions, hierarchies, compliance and risk metrics – and report layout objects.
  • Workflow and collaboration -This capability enables GRC users to share and discuss content via public folders and discussion threads. In addition, the GRC solution can assign and track events or tasks allotted to specific users, based on pre-defined business rules. Often, this capability is delivered by integrating with a separate portal or workflow tool.
6.0 Finance, IT and Vertical-Focused Solutions The GRC management marketplace is extraordinarily complex, reinforcing the need for finance, IT, vertical industry and other specialized GRC management solutions. These focused solutions offer targeted content and domain expertise in their designs. They also may include additional functions that would not be in an enterprise GRC platform. For enterprises pursuing a cross-enterprise GRC team approach, these specialized GRC management solutions should be integrated into the enterprise GRC platform, rather than replicate platform functions. Specialized GRC management solutions that Gartner covers, or is adding coverage in 2008, include:
  • IT GRC management – IT GRC management solutions have a repository, basic document management, good workflow, survey and reporting functionality, and dashboarding, with policy content that is specific to IT controls, and support automated measurement and reporting of IT controls. IT GRC management solutions may take input from controls automation and monitoring tools, such as configuration auditing, identity and access management, and security information and event monitoring.
  • Financial governance – A new market that will emerge in three to five years. Financial governance will combine elements of ERP, enterprise GRC platforms and CPM suites. It will build additional process controls around financial consolidation to support financial-close processes and the production of periodic financial statements for regulators. It will augment the financial controls in enterprise GRC platforms with broader controls that monitor capabilities. When delivered as a comprehensive solution, it will enable CFOs to better manage financial risk.
  • Environmental health and safety – With increasing attention on corporate social responsibility and compliance with environmental initiatives, industries that have a major impact on the environment – such as in the natural resources sector and heavy manufacturing – are looking to software in the environmental, health and safety arena to help them manage risks and compliance in this critical area.
  • Operational risk management for banking and investment services – Gartner uses the Basel Committee on Banking Supervision’s definition of “operational risk”: “The risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.” This definition includes legal risk, but excludes strategic and reputational risk. Operational risk management solutions are expected to include the provision of one or more of the following capabilities: risk model stress testing, external-loss database integration, multiformat data management, capital calculation engine, risk policy and controls management, business process rule engine with modeling and mapping tools, auditing and certification, and enterprisewide, as well as departmental or line of business, evaluations.
Acronym Key and Glossary Terms
BPM – business process management
CobiT – Control Objectives for Information and Related Technology
COSO – Committee of Sponsoring Organizations of the Treadway Commission
CPM – corporate performance management
ECM – enterprise content management
GRC – governance, risk and compliance
PCI – payment card industry
The enterprise GRC platform provides a way to unify the complex GRC architecture and enables a common reporting capability for a wide variety of GRC activities. As new regulations or other mandates arise, having a common platform enables enterprises to develop and integrate their own solutions, use solutions that the platform vendor provides, acquire and integrate solutions from best-of-breed vendors, or a mix of all those approaches. Thus, the enterprise GRC platform, through integration of the technologies and information supporting multiple GRC activities, is a critical element of the strategy for a cross-enterprise team approach to compliance and risk management.

Contributors to this research include: Tom Eid, Paul Proctor, Mark Nicolett, David Furlonger, Doug McKibben, John Van Decker, Nigel Rayner and Dan Miklovic.

Source: Gartner RAS Core Research Note G00155196, French Caldwell, 19 February 2008

Bu yazıyı paylaşmak mı istiyorsunuz? Ne duruyorsunuz: