Globally integrated markets; new levels of accountability that stem from new laws and regulations; and ever increasing expectations of a broader stakeholder group, who demand effective corporate governance, risk management, transparency, accountability, and optimized performance, have elevated the concerns at board room level of ensuring that effective, transparent and reliable governance and compliance tools are in place and are utilized.
The challenge is that each individual term - Governance, Risk, and Compliance have got different interpretations across the enterprise. We have IT Governance, Corporate Governance, Business Risk, Strategic Risk, Financial Risk, Operational Risk, IT Risk, Corporate Compliance, Sarbanes-Oxley (SOX) Compliance, Privacy Compliance, and Employment and Labor compliance. The list is endless.
Thus there is a need of a unified GRC strategy that works with multiple roles across the organization—legal, risk, audit, compliance, IT, ethics, finance, lines of business; guides people; standardizes processes; and integrates technology to embed GRC at every organizational level. Following suggests best practices to ensure sound GRC practice in an enterprise:
• User Roles and Access Management
Enforce compliant user provisioning across all systems with integrated user identity and access controls management. Centrally define users and their roles; assign, control, change and revoke access to avoid segregation of duties conflicts. Automate segregation of duties across enterprise applications, custom solutions, and database systems with business-driven rules to prevent unauthorized access to sensitive company and customer information. All users, including privileged users such as administrators, thus have access to only what they need to do their job.
• Data Management
Collaborate and share information, assessments, metrics, risks, investigations and losses across roles Protect information efficiently and prevent fraud by identifying and preventing access and authorization risks in cross-enterprise IT systems. Reduce redundant information silos and overlapping tasks, while utilizing date-effective audit trails that track the "who, what, and when" of changes made to critical business workflows, information, risk-control metrics, work papers, documentation and other evidence.
• Process Control and Management
Provide support to both cross-industry and industry-specific processes. Enable business process control management by leveraging core processes followed across the business and centrally monitoring key controls and data across-enterprise systems. Automate risk-based processes to address risk management, access control, IT controls testing, data monitoring, and reporting.
• Risk-balanced Strategy Management
Assess the value of a new business opportunity with its associated strategic, financial, legal, and compliance risks to optimize resource usage and minimize the market penalties from high-impact events. Establish tolerance thresholds for risks in the context of business operations. Risk based controls across different business process areas ranging from financial; operational to human resources should be introduced.
• Automated Controls Enforcement
Establish an enterprise understanding of risk with a standardized and automated process to identify, track, assess, and treat risks. Highlight key risk and performance indicators with the help of executive-level dashboards and dynamic drill-down reporting.
Minimize fraud risk with continuous monitoring and automated enforcement of best-practice configuration policies. Enforce comprehensive and automated controls for applications and technologies (all middleware, and database). Determine root causes and accountability for risk by tracking personnel ownership. Route alerts and notifications to concerned personnel/ IT managers for appropriate action.
• Enterprise Performance Management
Set organizational goals and objectives, all this while allowing separate lines of business within the organization to address the distinct risk and compliance requirements within their sphere. Maintain a fine balance between the autonomous and related functions which business units undertake.