The case for converging governance, risk and compliance
Regulatory compliance is now a burning
business issue with major IT implications. The appointment of a compliance
manager is becoming commonplace—and yet compliance, like risk (for which
there is often a risk manager), is part and parcel of governance—and needs to
be thought of as such.
Typically, good governance is a key
responsibility addressed at board level and policies to achieve this then
filter down through the organisation. Risk assessment and the consequent
risk reduction measures are part of this, with regulatory and statutory
compliance needed also to minimise company risk and achieve good governance.
(Security comes under this umbrella too and is a major subject in its own
right, but in this context it is often considered part of the risk reduction
function).
Many organisations who think of governance,
risk and compliance (GRC) functions separately, and have different persons
handling them, are missing a trick I think (despite over-hyping of GRC by some
of the consultancies). There are some important benefits in considering them
all as aspects of the same issue. A few software companies have realised this G-R-C
convergence, causing them to change their focus so that there is now an
emerging GRC IT sector.
Perhaps the most advanced in the UK in
terms of functionality is Peapod, who I referred to last month, which has brought together several third party
products addressing different parts of the need. However, as you would expect,
the guys in the US
are also on the case. So I will focus on one US-based vendor’s offering which
also illustrates the advantages of looking at this holistically. The company is
Polivec (from ‘policy vector’) which, unlike Peapod, is growing a mainly
in-house GRC solution.
Polivec’s approach starts with a ‘view from
the top’ of the enterprise. From this vantage point the compliance, risk or
security manager—or better still the overall ‘governance guru’—can view the
whole organisation, its people and processes. The information is all accessible
in real-time from this dashboard so it can be acted upon quickly.
So an obvious first benefit is that
governance fragmentation is reduced because it brings the previously
disparate strands together. Resulting advantages include avoiding the pitfalls
of duplicating a function, or missing it altogether by falling between two
disciplines, and eliminating communication gaps between people in the separated
functions. Sometimes those developing, say, the compliance rules do not fully
understand the business impact of doing this—and this needs to be factored
in. Lines of accountability issues also exist which can be better ironed out.
Obviously, this is not all down to the
software, but this very approach will act as a catalyst to promote a better
organisation GRC structure.
Whether it is the ‘G’, the ‘R’ or the ‘C’,
the need is always to produce policies, with all the procedure steps defined. So
a central repository contains all the policies, along with regulations and standards
which can in turn be broken down and linked to specific
policies as appropriate.
What goes with this, and is in my view a must for this type of software,
is an engine that maps policies to company requirements, including regulations.
Polivec’s solution has an editor which does the linking using drag-and-drop
capabilities.
The rules are held hierarchically and, as changes are made, there is a progression
from draft to approved and active. In fact the whole cycle is also audited
right into when it becomes part of the live workflow. This is also important to
compliance, since the outside assessors who check for businesses’ compliance
are especially interested in evidence of best practice and procedures as with the
resulting statistics.
“Effectively, this puts the policy in the driver’s seat,”
Polivec’s VP of marketing Tom Grubb told me.
Internal procedures, including manual activities, are separately captured—and the software ‘technical manager’ can link to data anywhere in the flow.
But there is a gap. Collecting data is not the same as being compliant with
regulations; doing that does not make you compliant.
Grubb added that, while the tool was pretty straightforward to use and,
once running, fairly self-sufficient, the challenge was in interpreting the
needs. In fact, creating and maintaining policies is hard, however much software
may help. There are inside and outside policies, they need to be written
properly and then kept up-to-date with every change that occurs. Compliance
managers also know that legislation and regulatory compliance issues—and
headaches—multiply with multi-national operations, and Grubb described this
situation as “the wild west” right now.
The Polivec software can then be used to
ensure the appropriate parts of each policy are distributed to all applicable
employees, with policy enforcement criteria applied at any company level. In
this way, new procedures can be implemented very rapidly.
Then again, an employee receiving a policy
is not the same as him or her abiding by it in practice. So the software also
includes employee awareness quizzes to capture their knowledge and assess what
extra training is needed; this encourages internal compliance and good
practice.
All of this is about simplified and better
management, and reduced admin workload, and there are a few bells and whistles
such as ‘what-if’ risk analysis for fine-tuning. The market has, for a long time, had a number of
point solutions which help with some of these aspects but, so far, very few
indeed take a full GRC perspective as I have described here.
However, what no software yet solves—and
maybe never will completely—is how to turn a policy into its technical
implementation automatically; for
instance, taking a general high-level security policy and turning it into IT functionality
wherever needed say, for application access.
In this context, the Polivec software does not deal
with classifying computer-stored information to assist in automating some policies
and helping them become more granular. Other software may do that—which
illustrates that third party elements will inevitably be needed to arrive at
the optimum overall GRC solution. Despite this, using software that supports
implementation of GRC in a holistic way will help the business get a handle on
the huge GRC task, providing clarity and easing the total burden.