igrc: Intelligent Governance, Risk, and Compliance White Paper

Transcription

1 igrc: Intelligent Governance, Risk, and Compliance White Paper Edgile, Inc. All Rights Reserved

2 Executive Overview This whitepaper discusses the business needs addressed by Edgile s igrc solution, which introduces a new approach to simplifying a company s governance, risk, and compliance (GRC) program. This white paper analyzes the current state of GRC solutions and addresses the competing goals that exist between software vendor licensing models and a company s need for a fully integrated solution. A new lower cost GRC model is then defined, which is born out of years of practical experience by Big 4 GRC professionals. This new model incorporates the following GRC services: Current State of GRC The Sarbanes Oxley Act, commonly referred to as SOX, was adopted on July 30, 2002 as the answer to financial accounting irregularities through auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure. The hangover from the party and related control bloat is still being felt nearly a decade later as unintended consequences. A myriad of other mandates HIPAA, PCI or FISMA have resulted in assurance overhead. Peeling away the initial layer of complexity (e.g., alphabet soup regulations) exposes a core set of issues. The issues boil down to what amounts to an arms race between the one off tools and point specific activities addressing each set of regulations. Every new law results in a new team being assigned to go solve the problem. Every new team develops its own approach, its own definition of the operating environment, its own methodology, process, tools and technologies. More people are required to not only develop the content and control environment, but also to test, manage, and monitor the remediation. Each law in affect creates a new island of assurance. The result is an inordinate increase in the amount of time spent on assurance activities and GRC systems, as compared to harmonization of assurance requirements over time Edgile, Inc. All Rights Reserved 2

3 The following diagram illustrates the ever increasing expectations of a company s assurance functions mirrored by an ever increasing amount of time spent meeting those expectations. The task of managing these assurance expectations is daunting and meaningful relief from regulations does not appear to be on the horizon. In fact, the situation at most organizations is getting worse with the adoption of the Dodd Frank Act and the increase of OCR audits and fines related to the enforcement of HIPAA security and privacy rules. The reaction from global legislators and boards alike is resulting in greater attention and demand for better quality information of GRC topics. Assurance services (i.e., the audit, risk and compliance activities, policy and governance management, control testing, finding and remediation management) are those services that are helping organizations improve the quality, context and quantity of information so that management can make better and more informed decisions. The three biggest cost factors of today s GRC programs and solutions are: Highly Manual Processes Significant Overlap in Effort Poor Risk Visibility Highly Manual Processes: Highly manual processes for assurance services are still the norm at large and small organizations alike. Anecdotally, one leading Big 4 audit firm was still using manual, paper based work papers as recently as And that manual mindset permeates both the firms that provide assurance services and the assurance functions within organizations. These manual processes result in challenges to ensure quality (e.g., it s difficult to reconcile different risk ratings and control descriptions for the same asset in Word and Excel 2013 Edgile, Inc. All Rights Reserved 3

4 documents), and have a high opportunity cost due to time not spent on higher value work (e.g., smart remediation planning and execution, assessing emerging technologies, preparing for changes in the regulatory environment). Significant Overlap in Effort: Potential for significant overlap is another challenge plaguing clients. The most common complaint We are audited around the same topic, in the same area, by five different groups. Can t they share information or talk to one another? And recent return on investment analysis performed at clients across industries has demonstrated this overlap between assurance functions (e.g., compliance, risk, internal audit, security, business continuity, and external audit) is costing companies millions of dollars each year. According to a Thomson Reuters press release in February 2012, companies were hit with 14,215 regulatory announcements globally in 2011, up sixteen percent from Fifty seven percent of these regulatory announcements came from the United States alone. With that volume, it s likely the overlap, especially for companies doing business in the United States, will continue to be a challenge. Poor Risk Visibility: Lack of visibility to risks is another factor resulting in millions of dollars of avoidable cost. Companies have estimated that a substantial re work of a new product offering or application can double the cost of the implementation due to missing controls needed to address risk and compliance requirements. The ability to spot risks early, have the right requirements and information about potential problems, allows management to adopt a more thoughtful remediation or informed risk acceptance. A New Approach to GRC Traditional GRC vendors have tried to address this inefficiency by bundling standalone modules into loosely coupled suites. This approach makes it easier for vendors to sell separate modules, but creates automation silos which mirror the organizational silos across a company s assurance functions. In contrast, Edgile s igrc solution takes a holistic approach with one integrated application automating all of a company s assurance services: One application One data model One process model The designers of igrc spent the last decade cutting their teeth on all the traditional GRC products in the market. igrc was then built from the ground up based on two design principles. The first principle is that a thoughtful design can synthesize the needs of each assurance stakeholder into one solution. The second principle is that companies within a given industry have very similar GRC content needs, which can be pre seeded as part of the initial installation. The first principle results in significant operational efficiency and the second principle results in faster setup times. This allows a company to save money while improving their GRC situational awareness Edgile, Inc. All Rights Reserved 4

5 igrc Process An intelligent GRC process enables both top down management (traditionally only seen in an Enterprise GRC platform), and detailed bottoms up management (traditionally only seen in an IT GRC platform). Our cross functional processes help assurance organizations streamline and automate their related activities. Our hierarchical process design facilitates discrete risk and compliance ratings, while also enabling risk and compliance roll up reporting necessary for the big picture view. Unlike other products in the market, igrc uses an organization centric perspective, not a software module perspective. This gives the customer the ability to do rollup and drill down risk and compliance ratings Edgile, Inc. All Rights Reserved 5

6 Business Unit The highest level groupings of the organization, the business unit is generally akin to line of business (LOB) and can be organized in any manner that makes sense to the organization (geography, legal entity, product, channel). A business unit has an inherent risk rating, residual risk rating, and compliance rating that considers the underlying risk units that comprise the BU. Risk Units A flexible construct designed to allow for both profit and loss (P&L) organizational modeling, as well as process or product modeling (e.g., when a process or service spans several departments). This unique approach allows for both traditional Sarbanes Oxley department based P&L modeling as well as operational risk and enterprise risk oriented process modeling. A risk unit has an inherent risk rating, residual risk rating, and compliance rating that considers the underlying Control Plans that comprise the RU. Control Plans The containers for risk and compliance related information including controls. Control Plans can take a variety of forms that include business process (e.g., Sales), IT process (e.g., Change Management), business function (e.g., legal), application (e.g., ERP Finance Application), infrastructure (e.g., WAN), property plant and equipment (e.g., facility), vendor (e.g., payroll outsourcing), data (e.g., PII), and cloud (e.g., SaaS). The Control Plan allows for high level analysis, detailed analysis, or both. A Control Plan has an inherent risk rating, residual risk rating, and compliance rating that considers the underlying Controls that comprise the Control Plans. Control The most granular level of risk and compliance analysis. Where appropriate, controls are directly tied to laws and regulations through the Regulatory Requirements to enable an understanding of the mandates driving the control design and the consequences of potential non compliance if the control isn t operating effectively. Test The assurance activity, potentially performed by multiple audiences (e.g., internal audit, security, compliance, the business) and tailored to the level of detail and rigor needed. Whether formal Sarbanes Oxley style testing is needed, or a quick review or confirmation from the control owner, the test at minimum rates the control design and operating effectiveness. Findings Should a control fail, or pass with findings noted, a Finding is created. A Finding links directly to a Test and through that linkage, clear transparency to related mandates is maintained. Findings are evaluated by severity and adjudicated through either a risk acceptance or remediation decision. A Remediation Plan, discussed in more detail below, can in turn be linked to the Finding. Remediation Plan The project, solution or fix for a Finding is referred to as a Remediation Plan. Remediation Plans can be developed that address one or more Findings. Remediation Plans allow for management of the corrective actions, as well as tracking of costs associated with compliance oriented enhancements Edgile, Inc. All Rights Reserved 6

7 igrc Content igrc Content offers a better way to address regulatory change management. Our extensive experience implementing GRC solutions have shown that content is key to achieving GRC solution efficiency and quality objectives. Edgile provides harmonized laws and regulations in an easy to use format for any GRC automation tool or manual compliance programs, and of course works seamlessly with the igrc software. The annual subscription services provide not only the synchronization of the laws and regulations that matter most to your organization, but also highly useful risk, governance and control related information to help your compliance program run at an optimized level. igrc Content is currently available for the following industries: Financial Services Healthcare Life Sciences Retail Government Manufacturing Gaming Energy & Utilities Edgile s igrc solution includes content from over 70 sources and quarterly updates, to help with your risk and compliance programs, including: Gramm Leach Bliley Act (GLBA) 12 CFR 30 Appendix B FFIEC Handbooks Sarbanes Oxley HIPAA US Privacy Laws EU Data Protection Directive COBIT PCI DSS HIPAA, HITECH, HITRUST, Meaningful Use 2013 Edgile, Inc. All Rights Reserved 7

8 21 CFR 11, 21 CFR 820 and General Principles of Software Validation: Final Guidance for Industry and FDA Staff NIST , NIST A, NIST , NIST , NIST ISO/IEC 27001, ISO/IEC 27002, ISO/IEC Other content accelerators that come standard with the igrc Solution include: Risk Register of likely threat vulnerabilities categorized and linked Policy, Standard, Procedure, and Guideline Templates sourced to Regulatory Requirements Operating Environment starter kits Risk Profilers, Risk Methodology and Risk Rollup Techniques Regulatory Change Management as a Service plug in Control Plan Templates with typical Controls already linked Audience Specific Dashboards that Inform Management on What Matters Most Reporting Packages for Laws and Programs (e.g., PCI, FISMA, SOX, etc.) igrc Technology Platform The igrc Solution embraces industry standard technologies and was built by Information Security professionals. Typically deployed in a Software as a Service (SaaS) configuration, freeing our customers up to focus on the high value GRC tasks. Compatible with Microsoft, MacOS, and mobile based devices, our technology highlights include: Key technology features of igrc include the following: Configurable by function (e.g., audit, Information Security, risk, compliance, etc.) Process & workflow models Interactive dashboards & reporting Role based access control (RBAC) with field level control A no install web based client Support for Microsoft, Apple and mobile phone clients Industry standard encryption Data import and export capabilities igrc Lower Cost of Ownership We have developed a proven Return on Investment (ROI) calculator, with both hard dollar and soft dollar savings. Lower cost of ownership value propositions include: One low cost enterprise subscription Based on standard Microsoft technologies Replaces the need for multiple piecemeal solutions Provided through a hosted service 2013 Edgile, Inc. All Rights Reserved 8

9 Getting Started Because igrc comes with all the features ready to go out of thebox and a variety of content accelerators pre configured and preloaded, your users are already licensed to use them all and they can quickly start benefiting from the value of an automated GRC process. A 30 minute demo is all it will take for you to be convinced that igrc redefines how companies will spend less money and get better results from their GRC programs in the future. Contact Edgile today to schedule a consultation and demonstration. Edgile, Inc. Company Headquarters 7000 N. Mopac Expressway Suite 200 Austin, TX Telephone: Fax: info@edgile.com 2013 Edgile, Inc. All Rights Reserved 9