Governance, Risk and Compliance Platform Considerations

Transcription

1 Governance, Risk and Compliance Platform Considerations

2 Executive Summary Integration of multiple governance, risk and compliance (GRC) disciplines on a single platform is increasing, yet barriers to successful integration of the technology across numerous groups remain. Many organizations continue to use multiple GRC technologies to fulfill different departmental needs, and different platforms are used for IT GRC and enterprise GRC (egrc). Within the egrc space, integration is most often encountered among internal audit, financial controls and enterprise risk assurance. Compliance-oriented functions have been less inclined to integrate on a single platform this is due in part to the specific subjectmatter expertise required of the different compliance functions, thus making the broader risk and control sets documented by other groups less relevant to compliance teams. Yet, The Institute of Internal Auditors (The IIA) position paper, The Three Lines of Defense In Effective Risk Management and Control (January 2013), provides good insight into why it makes sense to bring these functions together, at least on an aggregated level, even if subsets of information are contained in other source systems: It will enable the three lines (operational/ business line managers, risk and compliance functions, and internal audit) to coordinate activities, map assurance functions and perform independent validation. Organizations will find value in integrating the above disciplines on a single platform but they must first find ways to overcome common barriers associated with the integration process, including: Lack of sponsorship and leadership to drive integration across multiple groups Lack of collaboration across groups Lack of a unified GRC framework, or a common language Complexity of existing technologies Lack of effective change management Lack of demonstrable return on investment (ROI) GRC technology will not solve all integration barriers by itself. Certain components must already be in place policies, processes and infrastructure, which GRC technology can help bring together to unify and meet enterprise objectives. To help your company in your consideration of GRC technology, this paper outlines: GRC domains Key elements of a GRC platform Software evaluation considerations 1

3 GRC DOMAINS GRC solutions are typically grouped into the GRC domains described below. Each domain may have one or more subgroupings (e.g., the compliance domain has a variety of industry- or regulatory-specific subdomains such as anticorruption, financial services regulatory tracking, Bank Secrecy Act (BSA)/PATRIOT Act, Basel, and Solvency II). Enterprise Risk Management (ERM) ERM platforms help companies execute their business strategies while managing enterprise and operational risks. They are designed to support management s articulation of business objectives, key strategies and risk appetite. The platform should enable a clear linkage of risks to performance objectives and facilitate the communication between leadership and the lines of business (LOBs) regarding responsibility to execute strategies within clearly defined tolerances. To support operational risk programs, ERM platforms enable development of detailed risk and control registers, and support client-tailored assessment exercises as well as tracking of related incidents. They allow for different assessment methodologies across assurance disciplines that can be consolidated and aggregated into a broader corporate risk profile. Companies adopting more analytical approaches may also use the platforms to track actual, near-miss and scenario-based incidents that directly link to related objectives, risks and controls as well as incorporate key performance indicators (KPIs) and key risk indicators (KRIs) from multiple source systems. Finally, ERM platforms may either directly support, or provide inputs into, other third-party engines to support data modeling for certain types of quantitative analysis used for certain types of financial risks (e.g., credit, market, liquidity) and operational risk capital allocation. ERM platforms include features that help organizations do the following: Establish a risk model or framework that documents a common risk language across the organization, allowing risk managers to compare and manage risks across the enterprise Deploy risk assessments through an integrated workflow and survey engine, helping risk managers to identify and focus on the right risks at the right time to minimize exposure Develop response strategies to address identified risks and manage the implementation and execution of the strategies through completion Identify KRIs and establish acceptable thresholds that generate alerts to stakeholders and executives when thresholds are violated, allowing risk managers to take quick action to mitigate risk Manage incidents and their impact on the business through data collection, reporting, root cause identification and accountability, inclusive of scenario analysis Compliance Management Compliance platforms help companies incorporate compliance with external laws and regulations as well as internal policies into their enterprise risk profile. Platforms typically combine content and policy management with external regulatory feeds and internal controls to provide companies with a rationalized framework for managing externally and internally driven compliance programs efficiently. These platforms workflow and assessment engines support tailored, scalable methods for communicating and monitoring adherence to policies across LOBs, products and services. They leverage a relational architecture allowing program managers to connect front-office activities (e.g., underwriting a loan) with back-office processes and capabilities (e.g., IT systems that support the process), highlighting areas requiring remediation and supporting management of compliance-oriented projects. 2

4 Compliance platforms include features that help organizations do the following: Manage policies, including documentation, review, communication and attestation Integrate policies with other enterprise content and records management systems such as Microsoft SharePoint Monitor external regulations through feeds from third-party content providers and involve business-line representatives in the impact assessment via streamlined workflows Associate regulations and risks to policies and controls in a way that allows organizations to apply rationalized compliance efforts efficiently to multiple regulatory and risk management activities Offer elearning modules to communicate corporate brand and ideals, promote employee education, and comply with training requirements incorporated into various laws and regulations in a cost-effective manner Prioritize and manage compliance projects in the context of broader corporate initiatives and resource allocation, enabling the balancing of profit-driving strategies with regulatory imperatives Information Technology (IT) Governance IT governance platforms help companies align IT strategy with the needs of the business by establishing IT-centric risk and compliance processes that allow for effective management of business risks and external regulations. They serve as a central repository of the IT environment and allow organizations to prioritize and manage IT projects while optimizing resource allocation, effectively balancing strategic initiatives with equally necessary compliance imperatives. In addition, IT platforms facilitate the drawing of clear associations between key elements of the IT infrastructure and the company s business lines, products, services and processes. They enable policy management and facilitate bidirectional assessment of the business risks that IT controls mitigate as well as the risks originating in IT that may adversely impact the business. Incident, KPI and KRI tracking quickly bring to the surface IT exposures originating from assessment exercises as well as integrated source systems, and include workflow to manage related exceptions. IT governance platforms include features that help organizations do the following: Inventory the IT landscape, including assets, processes, services, applications and infrastructure elements Prioritize and manage IT projects based on the balance of strategic objectives and compliance requirements Develop, maintain, communicate and monitor adherence to IT policies Implement standard frameworks, including ITIL, COBIT, ISO27002, PCI, GLBA and HIPAA Highlight the results of IT risk assessments, incidents and threshold breaches in the context of related business products, services and processes to draw attention quickly to areas requiring attention Develop business continuity plans, including checklists, workflow templates, questionnaires, assessments and planning guidance Test general computing controls and assess the impact of these controls on key business processes Remediate issues and risks through action plans and tasks generated through automatic notifications and workflows Integrate their platforms with third-party IT monitoring tools to identify potential IT vulnerabilities that require remediation 3

5 Financial Controls Financial controls platforms have capabilities designed to improve corporate governance and facilitate compliance with financial reporting regulations in a cost-effective manner. The platform serves as a repository for all internal control documentation, evaluation, testing and remediation inclusive of financial reporting certifications. Increasingly, financial controls platforms provide continuous controls monitoring capabilities that directly link data analysis of enterprise resource planning (ERP) transactional data to test or KRI results, allowing monitoring for exceptions or threshold breaches. Financial controls platforms include features that help organizations do the following: Complete a financial risk-based scoping exercise and prioritize key risks and controls that affect compliance with financial reporting regulations Create process, risk and control documentation in a central repository, allowing for analysis of entities, processes and IT systems Deploy design and operating effectiveness assessments to control owners through an integrated survey engine to drive accountability and simplify the user experience Validate controls through independent testing and continuous monitoring, providing assurance about the control environment Facilitate disclosure certification of gaps and weaknesses through dashboards and reports that compile information based on internal analysis and testing of controls Integrate remediation management into processes through action plans, automatic notifications to business owners and reporting to ensure that deficiencies are addressed Internal Audit (IA) Internal audit GRC platforms help companies integrate internal audit into their GRC programs to bring a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control and governance processes. 1 The integration of audit capabilities into the broader GRC platform not only facilitates execution of the annual audit plan, but helps IA professionals to share their insights with other groups and view and leverage the work of others to ensure appropriate coverage of enterprise risks. IA GRC platforms typically integrate scheduling and work paper management with the shared GRC register, allowing auditors to leverage the work of other disciplines while also providing independent validation of policy and control procedures. IA platforms are designed to support the end-to-end audit lifecycle management, including enterprise risk assessment, planning, execution, reporting, monitoring and follow-up. They also provide a central repository for all audit work, making it easy to find and manage. Many GRC platforms include time and expense management, auditor profile management and offline work paper management. 1 Internal audit capabilities should be aligned with The IIA s International Professional Practices Framework, as a best industry practice. Companies should take this into consideration when evaluating solutions. 4

6 IA capabilities help organizations do the following: Automate the audit process, from risk assessment through reporting Identify and assess risks through integrated surveys, simplifying the feedback process and tying risks to key processes and organizations that feed the audit planning process Schedule audits and allocate audit resources based on their availability and skills profile, allowing for better management of time and resources Track projects, report on resource utilization and manage budgets through time and expense tracking Manage electronic work papers offline through an audit workbench, including field-level synchronization and conflict management Remediate issues identified during the audit process and follow them through to completion to ensure gaps are addressed Compile audit information and create final audit reports quickly, reducing the time and effort required to provide management and the board with key risk information Follow up on key issues and track their status through insight-providing reporting and dashboards KEY ELEMENTS OF A GRC PLATFORM Most GRC vendors provide core GRC components with their platforms that can be configured to fit different GRC solutions. Based on their brand and points of origination, the solutions vary with regard to the depth of capabilities and content offered within the core components. For example, vendors that first released their products during the Sarbanes-Oxley Act (SOX) heyday will tend to have strong, purpose-built functionality for both financial controls and audit, such as auditor scheduling and offline work papers, whereas vendors that originated from an IT GRC perspective are more likely to have specific integrations with tools used to monitor IT systems to ensure business continuity, information protection and detection of IT threats. Below, we outline the basic functionalities of GRC platforms. Your organization s assessment of these functionalities will depend on whether you want to enable a single or synergistic set of GRC domains, or drive an integrated, cross-domain approach. Organizations or individual departments looking to implement GRC technology for a specific need will evaluate the functionality (and cost) of the solution in the specific context of that need. Organizations seeking an integrated GRC solution will evaluate the core functional components based on more broadly applicable technical capabilities, and, accordingly, should expect their costs to be higher. The core functional components of a GRC platform include: Data modeling. Data modeling supports the establishment of a consolidated GRC framework and entity hierarchy within which detailed business records (e.g., objectives, risks, controls, incidents, indicators, action plans) are managed. This core component is used across all GRC domains. The flexibility and configurability of the data modeling architecture is essential in integrated GRC deployments. Content management. The content management component is applicable to individual business records and supports authoring, rich-text editing, cross-referencing, tagging, workspace/file collaboration with version control, change history and archiving. This core component is prominently featured in compliance (policy management) and audit management solution areas. Project management. Project management capabilities are utilized to manage project scheduling, activities and work papers related to multiple GRC efforts, most notably audit and case management. These capabilities are also important for IT project portfolio management and are becoming more useful for the management of regulatory projects that stem from regulatory change management processes. 5

7 Workflow management. Workflow management automates business logic and facilitates enterprise communication, collaboration, notification, accountability and assurance, and review. It is used across all GRC contexts. Key workflow capabilities include: Business rules engine: The system should natively support auto-calculation of basic business rules based on client-specific criteria (e.g., calculation of total risk score based on impact and likelihood values). It should also support multirecord calculations and complex business logic that is customdeveloped and maintained across upgrades with no need for additional customization. Tasking and notification: The system should support role-based, event-driven tasking and notification that enables collaborative execution of key processes, including review and remediation activities. It should allow for multidirectional routing, including the ability to route work to multiple individuals at the same time, as well as send review comments back to individuals with reopening of previous tasks. It should offer configurable notifications that allow for tailored messaging and direct access of content from s. Distributed communication: The system should provide the option to distribute standard surveys where responses are maintained via the survey, and integrated assessments that directly update the underlying GRC register. It should also support site or checklist-driven audit and performance review activities that allow for mobile assurance professionals to remotely perform evaluations of their various sites, locations, branches, plants, etc. To drive more specific value and ROI around specific risks, this engine must support wizard -driven methods of communicating and collecting information to promote awareness, drive certifications and distribute e-trainings. It should provide specific features in support of conditional logic and allow for a high degree of complexity in terms of review and routing. Branded communication is sometimes an option that can support strategy and policy communication. Reporting and analysis. GRC platform reporting capabilities should include several types of reporting formats that provide flexible query analysis and data download capabilities, information summaries, drill-down dashboard reporting, and heavy-text and editable reporting (e.g., via Microsoft Word). Platforms vary in the accessibility of the data model and the level of expertise required to create data views, perform queries based on configured data elements and configure dashboards. Advanced analytics and modeling. Different platforms provide varying degrees of advanced analysis or integration with various operational, transactional and analytical tools used to consolidate analysis within the GRC taxonomy and drive enterprise action planning. Different types of advanced and external analytics capabilities include: Regulatory change management: Incorporates external regulatory feeds from multiple content providers in order to trigger workflows, specifically the sourcing of regulatory updates and related impact analysis. Data analysis: Performs data analysis that is either initiated from a proprietary module within the system or from external systems in the form of tests, indicators and actions. The types of data analytics performed are generally categorized as continuous controls monitoring (e.g., segregation of duties, duplicate payments, unmatched invoices); IT monitoring (e.g., vulnerabilities, patch requirements); and transaction and third-party monitoring/matching (e.g., anti-fraud, vendor matching against banned entity lists). Data modeling and integration: Several GRC platforms either provide their own proprietary modeling tools (e.g., Monte Carlo simulation, Pareto analysis) or provide inputs into other quantitative engines to support advanced data modeling for quantitative risk analysis for market, credit or liquidity risk or capital allocation for operational risks in certain regulatory circumstances. 6

8 The above components are underpinned by a core architecture which should support the following: Configuration. Configurability is essential to meeting unique customer requirements related to the data model, data input and visualization, and reporting. Data integration. GRC platforms tend to integrate with third-party systems via a web-based application program interface (API) as well as automated common-data-format (.xml,.csv) uploads. Different vendors integrate with different types of data, based on their origins and experience. For example, vendors focused on IT governance will tend to integrate with asset management and IT monitoring tools to bring IT infrastructure directly into the system. Vendors historically focused on financial controls implementations tend to integrate with ERPs to facilitate continuous controls monitoring. Companies should give consideration to actual integration examples in order to leverage existing extensions that may already be in place. While most vendors have an API, it may be important to find out whether their APIs are published or available for your internal consumption if you plan to have internal development teams integrate internal systems with the platform over time. Data security. GRC platform vendors typically offer a role-based security architecture that supports enterprise, entity, record and field-level security. Most also offer lightweight directory access protocol (LDAP) integration and single-sign-on capabilities. Potential points of differentiation in an integrated GRC implementation relate to the level of subadministration offered by the platform, such as the ability to filter certain record sets based on GRC disciplines or grouped areas in a way that is easily manageable (i.e., offering a level between enterprise- and entity-level assignments). Contextualization. In an integrated GRC implementation, the ability to present different navigation and input screens is of key importance for organizations that want a more intuitive platform that is also able to aggregate data into contextual themes. Multiple languages. For some companies, it may be important that the platform support a multilingual interface or input screens. This feature translates navigation, field labels and drop-down categorizations and provides reporting of results by reading multiple language inputs (e.g., aggregates the number of controls rated ineffective in English or ineficaz in Spanish). Performance. Companies should evaluate architecture performance by establishing performance standards based on the composition of users across key use cases. It may want to establish one set of standards for frequent users (e.g., auditors) and a different set of standards for infrequent users (e.g., quarterly certifiers), and test against both. Many GRC platforms lack snappiness even when not under heavy concurrency load. Knowing the size of the vendor s largest implementation and comparing it with the size of yours will help ensure that the platform meets your load requirements. Offline and mobile support. Organizations are increasingly requesting offline and mobile device support, particularly for distributed or offsite review processes (e.g., conduct of an audit or branch review). While this may not be one of your company s critical requirements currently, understanding the vendor s mobile strategy may provide insight into the usability of the system going forward not only for audits, but for enablement of less frequent user inputs (e.g., response to a certification questionnaire). 7

9 SOFTWARE EVALUATION CONSIDERATIONS When evaluating the different solutions, organizations need to consider several factors. One is the time frame and budget required to implement the system. Another is the configurability of the solution to the company s needs. Organizations should avoid platforms designed like black boxes, with limited ability to configure controls or generate the reports needed. Relationship with the vendor is another important factor to keep in mind. Many vendors are more focused on providing functional knowledge transfer rather than assisting their GRC customers with establishing a unified framework that can sustain multidiscipline GRC efforts. Not every solution vendor is interested in actively learning about and enabling the customers existing methodology. Open communication and access to the vendor s expertise during the evaluation period is key. During the vendor selection process, it is important to test the marketing message versus the vendor s ability to deliver. Areas of inquiry should include: Configurability versus customization. Vendors may market a high degree of configurability but require significant customization in order to do that. This increases initial implementation costs and the complexity of future upgrades. Clients should ask the vendor to articulate which elements of the vendor s platform require customization, and how the vendor will manage maintenance and upgrades for the client. Time to value. As a rule of thumb, most customers seek to gain value from at least one or two modules within six months. Vendors should be able to demonstrate a plan to show value for at least two stakeholder groups within this period. Multi-stakeholder integration. The company should ask the vendor to demonstrate a plan that will provide individual stakeholder groups with their own workspaces devoid of clutter from other stakeholder groups, while also consolidating information into corporate risk profiles. This plan should include unique data views and input screens as well as segregation of data among stakeholder groups. It should be clear during the evaluation process how many modules of the software are required to achieve integration across stakeholder groups and how much additional modules for further growth will cost. Specifically, when developing targeted solutions across different GRC disciplines, the vendor should be able to tell the client whether it will be able to configure core functionality from licensed modules into new solutions, or whether it would require additional modules or licensing for each new targeted solution on the vendor s development road map. Reporting. As mentioned previously, vendors should be able to demonstrate how configurations flow through to ad hoc reporting analysis without requiring significant technical effort on behalf of the client or intervention by the vendor. A key challenge with complex implementations is that it is nearly impossible to know all the information a company will want out of a system at the start of the implementation, so having a mechanism to create your own searches and reports is extremely important. Implementation team and customer support. Understanding the level of involvement of the implementation team, the scope of customer support and vendor resources, and the availability of knowledge forums are key to sustained success. While software vendors are typically not responsible for developing your methodologies, they should demonstrate a commitment to applying their functions to your program through analysis of your stated requirements and underlying data. The vendor should be able to articulate the functional guidance that is included in the baseline support versus additionally charged professional services. Vendors should also be able to articulate how their support resources are trained and how the knowledge gained during implementation is transferred to the future support team. Several vendors are developing interesting models in this regard, where customers are able to share experiences and knowledge of technical elements with the vendor and each other through virtual web exchanges. By facilitating this exchange, these vendors are strengthening the position of their enterprise platforms in the development community. 8

10 About Protiviti s GRC Technology Protiviti s GRC experts have worked with thousands of global clients to deliver targeted GRC software solutions that address their immediate needs while facilitating convergence toward fully integrated, valueadded GRC practices. The Protiviti Governance Portal is a comprehensive software platform that integrates content and commonly accepted and proprietary frameworks with world-class consulting expertise in order to provide organizations with the visibility and insight needed to manage and mitigate current and future risk and compliance issues. The Governance Portal integrates process, knowledge and technology to help clients: Start the GRC program quickly, using out-of-the box content and templates Execute GRC tasks efficiently using proprietary GRC content that provides industry normative guidance Create a self-sustainable GRC program by easily configuring the Governance Portal to meet each organization s GRC program requirements, methodology and terminology Add value by converging multiple GRC activities Rely on real-time reporting and dashboards to provide executives with a holistic view of all GRC efforts Contact Scott Wisniewski Managing Director Risk Technologies scott.wisniewski@protiviti.com ABOUT PROTIVITI Protiviti ( is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 60 percent of Fortune 1000 and 35 percent of Fortune Global 500 companies. Protiviti and our independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Named one of the 2015 Fortune 100 Best Companies to Work For, Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index. 9

11 THE AMERICAS EUROPE/MIDDLE EAST/AFRICA UNITED STATES FRANCE ITALY THE NETHERLANDS Alexandria Atlanta Baltimore Boston Charlotte Chicago Cincinnati Cleveland Dallas Denver Fort Lauderdale Houston Kansas City Los Angeles Milwaukee Minneapolis New York Orlando Philadelphia Phoenix Pittsburgh Portland Richmond Sacramento Salt Lake City San Francisco San Jose Seattle Stamford St. Louis Tampa Washington, D.C. Winchester Woodbridge Paris GERMANY Frankfurt Munich BAHRAIN* Manama KUWAIT* Kuwait City OMAN* Milan Rome Turin QATAR* Doha SAUDI ARABIA* Riyadh Amsterdam UNITED KINGDOM London UNITED ARAB EMIRATES* ARGENTINA* Buenos Aires BRAZIL* Rio de Janeiro São Paulo CHILE* Santiago MEXICO* Mexico City PERU* Lima VENEZUELA* Caracas Muscat SOUTH AFRICA* Johannesburg Abu Dhabi Dubai CANADA Kitchener-Waterloo Toronto ASIA-PACIFIC AUSTRALIA INDIA* Brisbane Canberra Melbourne Sydney CHINA Beijing Hong Kong Shanghai Shenzhen Bangalore Hyderabad Kolkata Mumbai New Delhi JAPAN Osaka Tokyo SINGAPORE Singapore * Protiviti Member Firm 2015 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet. PRO-PKIC Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.