GOVERNANCE

RISK AND COMPLIANCE

Platform
Considerations

O rb it T ech
EXECUTIVE SUMMARY
Integration of multiple governance, risk and compliance (GRC) disciplines on a single platform is
increasing, yet barriers to successful integration of the technology across numerous groups
remain.
Many organizations continue to use multiple GRC technologies to fulfill different departmental
needs, and different platforms are used for IT GRC and enterprise GRC (eGRC). Within the eGRC
space, integration is most often encountered among internal audit, financial controls and
enterprise risk assurance. Compliance-oriented functions have been less inclined to integrate
on a single platform – this is due in part to the specific subject- matter expertise required of the
different compliance functions, thus making the wider risk and control sets documented by other
groups less relevant to compliance teams.

GRC DOMAINS
GRC solutions are typically grouped into the GRC domains described below. Each domain may have one
or more subgroupings (e.g., the compliance domain has a variety of industry- or regulatory-specific
subdomains such as anti- corruption, financial services regulatory tracking, Bank Secrecy Act

Enterprise Risk Management (ERM)

ERM platforms help companies execute their business strategies while managing enterprise and
operational risks. They are designed to support management’s articulation of business objectives, key
strategies and risk appetite. The platform should enable a clear linkage of risks to performance
objectives and facilitate the communication between leadership and the lines of business (LOBs)
regarding responsibility to execute strategies within clearly defined tolerances. To support operational
risk programs, ERM platforms enable development of detailed risk and control registers, and support
client-tailored assessment exercises as well as tracking of related incidents. They allow for different
assessment methodologies across assurance disciplines that can be consolidated and aggregated into a
broader corporate risk profile.
Companies adopting more analytical approaches may also use the platforms to track actual, near-
miss and scenario-based incidents that directly link to related objectives, risks and controls as well
as incorporate key performance indicators (KPIs) and key risk indicators (KRIs) from multiple source
systems. Finally, ERM plat- forms may either directly support, or provide inputs into, other third-

ERM platforms include features that help organizations do the following:

Establish a risk model or framework that documents a common risk language across the organization, allowing
risk managers to compare and manage risks across the enterprise
Deploy risk assessments through an integrated workflow and survey engine, helping risk managers to identify
and focus on the right risks at the right time to minimize exposure
Develop response strategies to address identified risks and manage the implementation and execution of the
strategies through completion
Identify KRIs and establish acceptable thresholds that generate alerts to stakeholders and executives when
thresholds are violated, allowing risk managers to take quick action to mitigate risk
Manage incidents and their impact on the business through data collection, reporting, root cause
identification and accountability, inclusive of scenario analysis

party engines to support data modeling for certain types of quantitative analysis used for certain
types of financial risks (e.g., credit, market, liquidity) and operational risk capital allocation.
Compliance Management
Compliance platforms help companies incorporate compliance with external laws and regulations as
well as internal policies into their enterprise risk profile. Platforms typically combine content and policy
management with external regulatory feeds and internal controls to provide companies with a
rationalized framework for managing externally and internally driven compliance programs efficiently.
These platforms’ workflow and assessment engines support tailored, scalable methods for
communicating and monitoring adherence to policies across LOBs, products and services. They
leverage a relational architecture allowing program managers to connect front-office activities
(e.g., underwriting a loan) with back-office processes and capabilities (e.g., IT systems that support
the process), highlighting areas requiring remediation and supporting management of compliance-
oriented projects.

Compliance platforms include features that help organizations do the following:

Manage policies, including documentation, review, communication and attestation

Integrate policies with other enterprise content and records management systems such as Microsoft
SharePoint
Monitor external regulations through feeds from third-party content providers and involve business-line
representatives in the impact assessment via streamlined workflows
Associate regulations and risks to policies and controls in a way that allows organizations to apply rationalized
compliance efforts efficiently to multiple regulatory and risk management activities
Offer eLearning modules to communicate corporate brand and ideals, promote employee education, and
comply with training requirements incorporated into various laws and regulations in a cost-effective manner
Prioritize and manage compliance projects in the context of broader corporate initiatives and resource
allocation, enabling the balancing of profit-driving strategies with regulatory imperatives
Information Technology (IT) Governance
IT governance platforms help companies align IT strategy with the needs of the business by
establishing IT-centric risk and compliance processes that allow for effective management of
business risks and external regulations. They serve as a central repository of the IT environment
and allow organizations to prioritize and manage IT projects while optimizing resource

IT governance platforms include features that help organizations do the following:

Inventory the IT landscape, including assets, processes, services, applications and infrastructure elements
Prioritize and manage IT projects based on the balance of strategic objectives and compliance requirements
Develop, maintain, communicate and monitor adherence to IT policies
Implement standard frameworks, including ITIL, COBIT, ISO27002, PCI, GLBA and HIPAA
Highlight the results of IT risk assessments, incidents and threshold breaches in the context of related business
products, services and processes to draw attention quickly to areas requiring attention
Develop business continuity plans, including checklists, workflow templates, questionnaires, assessments and
planning guidance
Test general computing controls and assess the impact of these controls on key business processes
Remediate issues and risks through action plans and tasks generated through automatic email notifications and
workflows
Integrate their platforms with third-party IT monitoring tools to identify potential IT vulnerabilities that require
remediation

allocation, effectively balancing strategic initiatives with equally necessary compliance

imperatives.
In addition, IT platforms facilitate the drawing of clear associations between key elements of the IT
infrastructure and the company’s business lines, products, services and processes. They enable policy
management and facilitate bi- directional assessment of the business risks that IT controls mitigate as
well as the risks originating in IT that may adversely impact the business. Incident, KPI and KRI tracking
quickly bring to the surface IT exposures originating from assessment exercises as well as integrated
source systems and include workflow to manage related exceptions.
Financial Controls
Financial controls platforms have capabilities designed to improve corporate governance and facilitate compliance
with financial reporting regulations in a cost-effective manner. The platform serves as a repository for all internal
control documentation, evaluation, testing and remediation inclusive of financial reporting certifications. Increas-
ingly, financial controls platforms provide continuous controls monitoring capabilities that directly link data analysis
of enterprise resource planning (ERP) transactional data to test or KRI results, allowing monitoring for exceptions or
threshold breaches.

Financial controls platforms include features that help organizations do the following:

Complete a financial risk-based scoping exercise and prioritize key risks and controls that affect compliance
with financial reporting regulations
Create process, risk and control documentation in a central repository, allowing for analysis of entities,
processes and IT systems
Deploy design and operating effectiveness assessments to control owners through an integrated survey
engine to drive accountability and simplify the user experience
Validate controls through independent testing and continuous monitoring, providing assurance about the
control environment
Facilitate disclosure certification of gaps and weaknesses through dashboards and reports that compile
information based on internal analysis and testing of controls
Integrate remediation management into processes through action plans, automatic email notifications to
business owners and reporting to ensure that deficiencies are addressed
Internal Audit (IA)
Internal audit GRC platforms help companies integrate internal audit into their GRC programs to bring a systematic,
disciplined approach to evaluating and improving the effectiveness of risk management, control and governance
processes.1 The integration of audit capabilities into the broader GRC platform not only facilitates execution of
the annual audit plan but helps IA professionals to share their insights with other groups and view and leverage the
work of others to ensure appropriate coverage of enterprise risks. IA GRC platforms typically integrate scheduling
and work paper management with the shared GRC register, allowing auditors to leverage the work of other
disciplines while also providing independent validation of policy and control procedures.
IA platforms are designed to support the end-to-end audit lifecycle management, including enterprise risk
assessment, planning, execution, reporting, monitoring and follow-up. They also provide a central repository for all
audit work, making it easy to find and manage. Many GRC platforms include time and expense management,
auditor profile management and offline work paper management.

IA capabilities help organizations do the following:

Automate the audit process, from risk assessment through reporting

Identify and assess risks through integrated surveys, simplifying the feedback process and tying risks to key
processes and organizations that feed the audit planning process
Schedule audits and allocate audit resources based on their availability and skills profile, allowing for better
management of time and resources
Track projects, report on resource utilization and manage budgets through time and expense tracking
Manage electronic work papers offline through an audit workbench, including field-level synchronization and
conflict management
Remediate issues identified during the audit process and follow them through to completion to ensure gaps are
addressed
Compile audit information and create final audit reports quickly, reducing the time and effort required to
provide management and the board with key risk information
Follow up on key issues and track their status through insight-providing reporting and dashboards
KEY ELEMENTS OF A GRC PLATFORM

Most GRC vendors provide core GRC components with their platforms that can be configured to fit different
GRC solutions. Based on their brand and points of origination, the solutions vary with regard to the depth
of capabilities and content offered within the core components. For example, vendors that first released their
products during the Sarbanes-Oxley Act (SOX) heyday will tend to have strong, purpose-built functionality for
both financial controls and audit, such as auditor scheduling and offline work papers, whereas vendors that
originated from an IT GRC perspective are more likely to have specific integrations with tools used to monitor
IT systems to ensure business continuity, information protection and detection of IT threats.
Below, we outline the basic functionalities of GRC platforms. Your organization’s assessment of these functionalities
will depend on whether you want to enable a single or synergistic set of GRC domains, or drive an integrated,
cross-domain approach. Organizations or individual departments looking to implement GRC technology for
a specific need will evaluate the functionality (and cost) of the solution in the specific context of that need.
Organizations seeking an integrated GRC solution will evaluate the core functional components based on
more broadly applicable technical capabilities, and, accordingly, should expect their costs to be higher.
The core functional components of a GRC platform include:
• Data modeling. Data modeling supports the establishment of a consolidated GRC framework and entity hierarchy
within which detailed business records (e.g., objectives, risks, controls, incidents, indicators, action plans) are
managed. This core component is used across all GRC domains. The flexibility and configurability of the data modeling
architecture is essential in integrated GRC deployments.
• Content management. The content management component is applicable to individual business records and
supports authoring, rich-text editing, cross-referencing, tagging, workspace/file collaboration with version control,
change history and archiving. This core component is prominently featured in compliance (policy management)
and audit management solution areas.
• Project management. Project management capabilities are utilized to manage project scheduling, activities and
work papers related to multiple GRC efforts, most notably audit and case management. These capabilities are also
important for IT project portfolio management and are becoming more useful for the management of regulatory
projects that stem from regulatory change management processes.