Finding GRC Software to Suit Your Needs by ProQuest


More Info
									Finding GRC Software to Suit Your Needs
By James Bone                                       ogy strategy for managing compli-           derstand how the programs work.
Compliance Week Columnist                           ance?                                          Depending on the size of your corpo-
                                                                                                ration, however, you may well reach the

T   he popularity and proliferation of
    governance, risk, and compliance
systems has grown over the years as regu-
                                                   Every company will answer those
                                                three questions differently, so let’s explore
                                                the main points of each one in turn.
                                                                                                limits of capability with MS applications.
                                                                                                That doesn’t automatically mean you must
                                                                                                look to outside vendors. Whether you use
latory requirements have become more                                                            relational databases or non-relational da-
complex. So it’s little wonder that IT, risk,       Key Issues: First begin with a concise      tabases (cloud computing, Web-based
and compliance professionals have sought        policy on the three pillars of oversight:       development, or other computer technol-
ways to make their lives less complex.          governance, risk, and compliance. Gover-        ogy), you may have the framework for
   After all, who wouldn’t want some            nance is the main driver of the next two        creating a GRC system that could be tied
form of automated process that deliv-           pillars, risk and compliance, so before you     into online applications with real-time
ers real-time data to senior executives         even start to implement a system, senior        data.
and business-unit managers so they can          management must agree on who is re-                Is all that still cheaper than using a ven-
better assess and manage your risks? As         sponsible for governance and what that          dor? That’s a complex decision that only
businesses have looked to cut costs and         looks like. Be precise in that agreement. Is    your firm can weigh against the choice of
streamline processes, technology is often       governance decentralized or centralized?        buying from an outside vendor.
expected to provide efficiency for many         How often will reporting occur? What               If you do decide to buy a suite or plat-
of the previously manual functions per-         are the critical issues and topics that must    form to integrate into your organization,
formed by individuals. Enter the vendor         bubble up from work papers from compli-         consider whether the vendor can accom-
of GRC software.                                ance and risk management?                       modate the requirements imposed by the
   Not surprisingly, however, achiev-               Lastly, you must decide how to priori-      IT department. Before you circulate any
ing the promise of GRC software has             tize the mitigation of critical risk and com-   request for proposals from vendors, you
been elusive. Vendors’ products typically       pliance issues. Without formal agreement        absolutely must consult your IT depart-
are compilations of templates from risk         and support of a governance framework, a        ment; this is critical. Many companies
and compliance frameworks, such as the          GRC project may be viewed as a “compli-         mistakenly believe that the implementa-
Committee of Sponsoring Organizations           ance project” that competes for business        tion of a GRC system is the IT depart-
(COSO) or Control Objectives for Infor-         resources during tight budgetary times.         ment’s responsibility. Wrong! A GRC
mation and Technology (CoBIT). Home-            Just as bad, smaller projects might crop        system should be chosen to solve the chal-
grown programs are usually built in             up across the firm that aren’t connected        lenges set forth in the governance policy
business silos, preventing scalable imple-      to the strategy set forth in the governance     and must be owned by those responsible
mentation across the whole enterprise—          policy. You want a governance framework         for implementing the governance strat-
which is precisely the perspective that the     that allows for a strategy that can evolve      egy. The IT department is critical in the
C-suite needs.                                  with GRC, rather than one that exists as        process, yes—but should be used to enable
   Why have these systems failed to live        a collection of siloed approaches livi
To top