Dhanasekaran M, Director - Governance, Risk & Compliance and Cybersecurity, Cognizant Technology Solutions
Organizations that use technology to enable their GRC processes have the potential to reduce the cost of risk management, enhance compliance and audit, streamline reporting, and better manage risk.
By enabling technology, organizations can build an effective foundation that allows building efficiency, integrity, and consistency in their GRC processes.
Some of the key business drivers for GRC automation/technology enablement for organizations’ GRC processes counts Increase in regulatory compliance requirements, complex risk management requirements, increased shareholders and board expectations that includes Global data protection legislations, HIPAA/HITECH compliance requirements, Dodd-Frank act requirements, Increased pressure to comply with NIST Cybersecurity framework in the Federal space and Regulatory updates across PCIDSS, FFIEC, and other industries. Apart from this, duplication of activities across risk, compliance processes, methods and Infrastructure; optimization in the control functions by reducing scope creep and reducing duplication of controls across multiple functions, managing cost with automation activities of GRC processes, demand for more comprehensive, consolidated, and actionable GRC information and consolidation of risk and compliance activities in Mergers and Acquisitions are the other additional aspects.
Core solution components of GRC are:
- Business Hierarchy like consideration around functional, line of business (LOB) within the organization or entity hierarchy embedded within the tool
- Population/Inventories/Authority information including Identification of Industry regulations/Authoritative sources to align with, and determination of asset management tool (CMDB) integration for applications, supporting infrastructure, databases, operating systems and data centers
- Access control strategy such as Groups, roles, privileges assigned to users
- SSO Integration with organization’s directory services to simplify authentication and user access administration
For any Organization, the key design considerations while implementing a GRC automation platform are: Convergence of risks, controls, processes, issues and themes, Roadmap and strategic approach, Reporting requirements and data consideration, Solution ownership and governance, Process and workflow requirements, Functional and technical requirement validation, Implementation management and Support personnel and management.
"A key consideration when analyzing GRC solutions is the concept of customization vs configuration."
Typical challenges that organizations / GRC platform vendors encounter while implementing an automation platform for GRC management:
- Functional requirements along with organizational and process convergence should be defined prior to tool selection by performing a use analysis and change management requirement within an organization
- Organizations purchasing a solution and then attempting to converge the risk organizations and processes contain many challenges
- Many organizations will need to customize their selected GRC platform or change their processes, methodologies, and hierarchies to have a successful GRC technology implementation
- A lack of understanding of how other business tools can be integrated with GRC platforms and future GRC requirements
- Content management decision – If aligning to leading frameworks, regulations and practices, a decision needs to be made to determine whether the organization will rely on a vendor to provide and manage content going forward or will it be customized and managed by themselves
- Timeframes for implementation is often underestimated - most organizations will need 12-24 months for successful implementation and to realize the complete operational competency benefits
- Tool cost is often underestimated due to improper calculation of customization or functional and process modifications that will be needed by the organization
- Vendor support and experience at business aligned deployments is limited
- Lack of experience and knowledgeable resources that are dedicated to GRC platform implementation
- A key consideration when analyzing GRC solutions is the concept of customization vs configuration. These two are very distinctive terms and have significant impact on a GRC platform’s ability to meet or exceed business and functional requirements
- Configuration refers to the process of altering a GRC platform by making basic changes to the “out of the box capability” to meet the business requirements. This will not greatly enhance the platform’s functionality. Examples of configurations include: Changing colors, adding/deleting fields
- Customization refers to the process of altering and enhancing GRC platform by making advanced changes to the “out of the box” capability to meet business requirements. This process can greatly enhance a GRC platform’s functionality. Examples of customization include: building custom workflow, using external application code like Java /HTML to enhance the functionality of a GRC platform, using advanced calculation and logic and integrating data with multiple systems and data sources.
Almost all GRC vendors have demonstrated that they have the capabilities and drive to meet complex and sophisticated enterprise demands, but it has not been easy. As technologies become more mature, the programs they are being asked to support are becoming mature as well.