Perfecting Your IT Infrastructure, the Backbone of GRC

Document Sample
Perfecting Your IT Infrastructure, the Backbone of GRC Powered By Docstoc
					Perfecting Your IT Infrastructure,
the Backbone of GRC
By Scott Mitchell, The Open Compliance And Ethics Group
A     n integrated approach to governance, risk, and compliance will not work without
      an IT infrastructure to support it; after all, take the wiring out of your Maserati
and see how much good its fine-tuned Italian engineering does.
   Similarly, without information systems designed to move data where they’re need-
ed, when they’re needed, GRC personnel cannot form a clear, three-dimensional,
enterprise-wide picture of an organization’s challenges and opportunities. In other
words, they cannot turn data into knowledge if the data aren’t where they’re supposed
to be—and in a format that has meaning.
   Creating the kind of IT backbone that supports integrated GRC activities is not
easy; it involves a number of focused, difficult tasks that must be approached in a
coordinated manner. But that’s largely because each aspect of the underlying GRC
capability—assessment, prevention, detection, resolution, and measurement—can be
managed better with a better IT infrastructure behind it. And the entire GRC system
benefits from a coordinated view of the organization’s data as well.
   A common approach to risk assessment, for example, can only be achieved with
well-designed IT behind it. This will help to streamline the GRC process itself and,
more importantly, make it possible to prioritize risks and allocate capital across the
business. Technology can be used to help prevent adverse events from occurring by
facilitating workflow, managing information, managing documents, and tracking
employee participation in training. Using IT for GRC-related detection activities is
also especially productive. Because adverse events are detected using a number of
channels and techniques, it’s important to store information about them in a common
repository or in separate repositories that can be analyzed together for patterns.
   And IT is critical to problem resolution, of course. It can help manage workflow
associated with investigations—including how an issue is routed, escalated, and privi-
leged. Just imagine trying to accomplish meaningful process improvement without
a coordinated approach to, and integrated view of, the problem or problems being
solved. By integrating information and analysis from multiple data sources, an enter-
prise can zero in on high-priority target areas for process improvement that may cut
across departments, functions, and business units.
   But while some individual elements of crafting a GRC IT backbone are even more
complicated than they sound, the task overall is far simpler (conceptually, at least)
than many organizations may realize. The point is not to add layer after layer of new
IT; rather, constructing a GRC backbone is about analyzing opportunities to sim-
plify existing IT and about leveraging existing IT investments.
   “Unnecessary complexity is the bane of business,” emphasizes Lee Dittmar, part-
ner at Deloitte Consulting. “Leveraging common information, processes, and sys-
tems, when done right, is more efficient and effective.” And, he points out, doing so
works best when an organization maximizes its investment in enterprise systems by
incorporating enterprise information into desktop widgets, dashboards, and e-mail
programs. That way, the data in the system are the same you’ve been using; they’re
just being used better, because they’re consistent and protected across all applications
and access points. Future IT system upgrades become part of the solution, and not
another problem.
Design Principles

      hen applying IT to GRC, consider the following principles:
      INTEGRATION. It is unlikely that a single application can enable all GRC activi-
      ties. Integrate existing and new technologies to create the “GRC Backbone.”
      The GRC Backbone should integrate with existing business applications such
      as Enterprise Resource Planning (ERP), Human Capital Management (HCM),
      Customer Relationship Management & Sa
Description: 4. TO-BE DEFINITION. Using identified GRC needs and the current inventory of processes and technology, the team should identify gaps where GRC needs are not being met. Then, IT and GRC should enhance the enterprise architecture to address these needs. These changes could include using existing technology differently to turn available data into GRC-ready information, as well as building or buying new GRC-specifi c components, such as risk and control mapping software.
ProQuest creates specialized information resources and technologies that propel successful research, discovery, and lifelong learning.