Globally integrated markets; new levels of accountability that stem from new laws and regulations; and ever increasing expectations of a broader stakeholder group, who demand effective corporate governance, risk management, transparency, accountability, and optimized performance, have elevated the concerns at board room level of ensuring that effective, transparent and reliable governance and compliance tools are in place and are utilized.

The challenge is that each individual term - Governance, Risk, and Compliance have got different interpretations across the enterprise. We have IT Governance, Corporate Governance, Business Risk, Strategic Risk, Financial Risk, Operational Risk, IT Risk, Corporate Compliance, Sarbanes-Oxley (SOX) Compliance, Privacy Compliance, and Employment and Labor compliance. The list is endless. 

Thus there is a need of a unified GRC strategy that works with multiple roles across the organization—legal, risk, audit, compliance, IT, ethics, finance, lines of business; guides people; standardizes processes; and integrates technology to embed GRC at every organizational level. Following suggests best practices to ensure sound GRC practice in an enterprise:

• User Roles and Access Management

Enforce compliant user provisioning across all systems with integrated user identity and access controls management. Centrally define users and their roles; assign, control, change and revoke access to avoid segregation of duties conflicts. Automate segregation of duties across enterprise applications, custom solutions, and database systems with business-driven rules to prevent unauthorized access to sensitive company and customer information.  All users, including privileged users such as administrators, thus have access to only what they need to do their job.

• Data Management

Collaborate and share information, assessments, metrics, risks, investigations and losses across roles Protect information efficiently and prevent fraud by identifying and preventing access and authorization risks in cross-enterprise IT systems. Reduce redundant information silos and overlapping tasks, while utilizing date-effective audit trails that track the "who, what, and when" of changes made to critical business workflows, information, risk-control metrics, work papers, documentation and other evidence.

• Process Control and Management

Provide support to both cross-industry and industry-specific processes. Enable business process control management by leveraging core processes followed across the business and centrally monitoring key controls and data across-enterprise systems. Automate risk-based processes to address risk management, access control, IT controls testing, data monitoring, and reporting.

• Risk-balanced Strategy Management

Assess the value of a new business opportunity with its associated strategic, financial, legal, and compliance risks to optimize resource usage and minimize the market penalties from high-impact events. Establish tolerance thresholds for risks in the context of business operations. Risk based controls across different business process areas ranging from financial; operational to human resources should be introduced.

• Automated Controls Enforcement

Establish an enterprise understanding of risk with a standardized and automated process to identify, track, assess, and treat risks. Highlight key risk and performance indicators with the help of executive-level dashboards and dynamic drill-down reporting.

Minimize fraud risk with continuous monitoring and automated enforcement of best-practice configuration policies. Enforce comprehensive and automated controls for applications and technologies (all middleware, and database). Determine root causes and accountability for risk by tracking personnel ownership. Route alerts and notifications to concerned personnel/ IT managers for appropriate action.

• Enterprise Performance Management

Set organizational goals and objectives, all this while allowing separate lines of business within the organization to address the distinct risk and compliance requirements within their sphere. Maintain a fine balance between the autonomous and related functions which business units undertake.

Governance, Risk and Compliance or "GRC" is the umbrella term covering an organization's approach across these three areas. Being closely related concerns, governance, risk and compliance activities are increasingly being integrated and aligned to some extent in order to avoid conflicts, wasteful overlaps and gaps.

For many enterprises, compliance is time consuming and costly, and is viewed as a cost of doing business. However, some IT organizations have lowered their on-going compliance costs by centralizing their compliance and risk initiatives. But more importantly, these companies with centralized compliance initiatives are better positioned to benefits in the future by leveraging and extending their efforts to improve their operations and effectively manage compliance initiatives.

Cost, Efficiency, Flexibility

Cost Management, Efficiency and Flexibility have always been prevalent themes in business. In the risk and compliance management space, these three trends have come to the forefront:

• Reduce costs
• Improve operational efficiency
• Utilize flexible frameworks as the basis for building sound programs

Many companies have turned to a risk and compliance management strategy and supporting infrastructure that can grow with their organization as their needs change. Using this platform approach to Governance Risk & Compliance (GRC) not only increases efficiency and drives down cost, but also ensures that the demands of the risk and regulatory landscape are met today and tomorrow.GRC strategies look to streamline these efforts and manage risks more efficiently.

Cost Cutting Considerations

While companies are trying to cut costs, it is important to understand the factors and end results associated with reducing risk management programs when deciding where and how much to cut. All too often compliance is overlooked as a key piece of the risk landscape when it is critical for the success of Governance, Risk & Compliance (GRC) program.

A Governance, Risk & Compliance (GRC) platform that brings compliance and risk management together can not only bring efficiencies to the organization but also, can be leveraged to understand the impact of cutting costs. Reducing investments in the Governance, Risk & Compliance (GRC) areas may have short term gains with serious long term negative impacts. Better business decisions can be made when risks are put into perspective and the quality of risk data is improved. These types of decisions must be weighed carefully.

Finding the Right Balance

Finding the right balance of controls originates from a well-run risk management process. Before deferring investment in new technologies and reducing staff, the risks associated with these reductions have to be understood. Designing controls around these risks can ensure that reductions aren’t met with increased risk in business-critical functions.

Companies that have switched to automated Governance, Risk & Compliance (GRC) approach have found analysis that previously required months of research can be done in minutes - and with much greater detail. Automated Governance, Risk & Compliance (GRC) technology can streamline policy management, while taking into account compliance controls.

Getting value for your Governance, Risk & Compliance (GRC) Investment

There are three main categories of Governance Risk & Compliance (GRC) initiatives to consider:

• Governance, Risk & Compliance (GRC) Research and Development is based on understanding regulations, risk management approaches and control frameworks and mapping the relevant business requirements to the company’s operations.
• Governance, and Policy Management is focused on properly communicating and enforcing governance and risk management policies and controls across the enterprise.
• E-GRC Management and Reporting measures the overall corporate environment against established controls emphasizing reporting and analyzing trends, as well as remediating risks and incidents with mapping back to root causes.

By identifying cost savings and improved operational efficiency, companies can justify the cost of Governance, Risk & Compliance (GRC) technology and demonstrate rapid ROI. Even modest Governance, Risk & Compliance (GRC) programs can be very expensive when they are based on manual processes and niche technology solutions.

Conclusion

Thinking strategically and establishing a scalable framework to meet future requirements is a lot more beneficial than one-off, “quick fix” remediation plan. E-GRC technology can replace disparate, inefficient, manual tools and processes. To leverage knowledge throughout the organization, controls must be managed and collaboration increased. Automation is a key factor in managing and communicating policy adherence. So when companies can’t decide what to cut, what to keep and where to invest, they need to think about both the risks and the rewards.