Professional Documents
Culture Documents
Platform
Considerations
O rb it T ech
EXECUTIVE SUMMARY
Integration of multiple governance, risk and compliance (GRC) disciplines on a single platform is
increasing, yet barriers to successful integration of the technology across numerous groups
remain.
Many organizations continue to use multiple GRC technologies to fulfill different departmental
needs, and different platforms are used for IT GRC and enterprise GRC (eGRC). Within the eGRC
space, integration is most often encountered among internal audit, financial controls and
enterprise risk assurance. Compliance-oriented functions have been less inclined to integrate
on a single platform – this is due in part to the specific subject- matter expertise required of the
different compliance functions, thus making the wider risk and control sets documented by other
groups less relevant to compliance teams.
GRC DOMAINS
GRC solutions are typically grouped into the GRC domains described below. Each domain may have one
or more subgroupings (e.g., the compliance domain has a variety of industry- or regulatory-specific
subdomains such as anti- corruption, financial services regulatory tracking, Bank Secrecy Act
Establish a risk model or framework that documents a common risk language across the organization, allowing
risk managers to compare and manage risks across the enterprise
Deploy risk assessments through an integrated workflow and survey engine, helping risk managers to identify
and focus on the right risks at the right time to minimize exposure
Develop response strategies to address identified risks and manage the implementation and execution of the
strategies through completion
Identify KRIs and establish acceptable thresholds that generate alerts to stakeholders and executives when
thresholds are violated, allowing risk managers to take quick action to mitigate risk
Manage incidents and their impact on the business through data collection, reporting, root cause
identification and accountability, inclusive of scenario analysis
party engines to support data modeling for certain types of quantitative analysis used for certain
types of financial risks (e.g., credit, market, liquidity) and operational risk capital allocation.
Compliance Management
Compliance platforms help companies incorporate compliance with external laws and regulations as
well as internal policies into their enterprise risk profile. Platforms typically combine content and policy
management with external regulatory feeds and internal controls to provide companies with a
rationalized framework for managing externally and internally driven compliance programs efficiently.
These platforms’ workflow and assessment engines support tailored, scalable methods for
communicating and monitoring adherence to policies across LOBs, products and services. They
leverage a relational architecture allowing program managers to connect front-office activities
(e.g., underwriting a loan) with back-office processes and capabilities (e.g., IT systems that support
the process), highlighting areas requiring remediation and supporting management of compliance-
oriented projects.
Inventory the IT landscape, including assets, processes, services, applications and infrastructure elements
Prioritize and manage IT projects based on the balance of strategic objectives and compliance requirements
Develop, maintain, communicate and monitor adherence to IT policies
Implement standard frameworks, including ITIL, COBIT, ISO27002, PCI, GLBA and HIPAA
Highlight the results of IT risk assessments, incidents and threshold breaches in the context of related business
products, services and processes to draw attention quickly to areas requiring attention
Develop business continuity plans, including checklists, workflow templates, questionnaires, assessments and
planning guidance
Test general computing controls and assess the impact of these controls on key business processes
Remediate issues and risks through action plans and tasks generated through automatic email notifications and
workflows
Integrate their platforms with third-party IT monitoring tools to identify potential IT vulnerabilities that require
remediation
Financial controls platforms include features that help organizations do the following:
Complete a financial risk-based scoping exercise and prioritize key risks and controls that affect compliance
with financial reporting regulations
Create process, risk and control documentation in a central repository, allowing for analysis of entities,
processes and IT systems
Deploy design and operating effectiveness assessments to control owners through an integrated survey
engine to drive accountability and simplify the user experience
Validate controls through independent testing and continuous monitoring, providing assurance about the
control environment
Facilitate disclosure certification of gaps and weaknesses through dashboards and reports that compile
information based on internal analysis and testing of controls
Integrate remediation management into processes through action plans, automatic email notifications to
business owners and reporting to ensure that deficiencies are addressed
Internal Audit (IA)
Internal audit GRC platforms help companies integrate internal audit into their GRC programs to bring a systematic,
disciplined approach to evaluating and improving the effectiveness of risk management, control and governance
processes.1 The integration of audit capabilities into the broader GRC platform not only facilitates execution of
the annual audit plan but helps IA professionals to share their insights with other groups and view and leverage the
work of others to ensure appropriate coverage of enterprise risks. IA GRC platforms typically integrate scheduling
and work paper management with the shared GRC register, allowing auditors to leverage the work of other
disciplines while also providing independent validation of policy and control procedures.
IA platforms are designed to support the end-to-end audit lifecycle management, including enterprise risk
assessment, planning, execution, reporting, monitoring and follow-up. They also provide a central repository for all
audit work, making it easy to find and manage. Many GRC platforms include time and expense management,
auditor profile management and offline work paper management.
Most GRC vendors provide core GRC components with their platforms that can be configured to fit different
GRC solutions. Based on their brand and points of origination, the solutions vary with regard to the depth
of capabilities and content offered within the core components. For example, vendors that first released their
products during the Sarbanes-Oxley Act (SOX) heyday will tend to have strong, purpose-built functionality for
both financial controls and audit, such as auditor scheduling and offline work papers, whereas vendors that
originated from an IT GRC perspective are more likely to have specific integrations with tools used to monitor
IT systems to ensure business continuity, information protection and detection of IT threats.
Below, we outline the basic functionalities of GRC platforms. Your organization’s assessment of these functionalities
will depend on whether you want to enable a single or synergistic set of GRC domains, or drive an integrated,
cross-domain approach. Organizations or individual departments looking to implement GRC technology for
a specific need will evaluate the functionality (and cost) of the solution in the specific context of that need.
Organizations seeking an integrated GRC solution will evaluate the core functional components based on
more broadly applicable technical capabilities, and, accordingly, should expect their costs to be higher.
The core functional components of a GRC platform include:
• Data modeling. Data modeling supports the establishment of a consolidated GRC framework and entity hierarchy
within which detailed business records (e.g., objectives, risks, controls, incidents, indicators, action plans) are
managed. This core component is used across all GRC domains. The flexibility and configurability of the data modeling
architecture is essential in integrated GRC deployments.
• Content management. The content management component is applicable to individual business records and
supports authoring, rich-text editing, cross-referencing, tagging, workspace/file collaboration with version control,
change history and archiving. This core component is prominently featured in compliance (policy management)
and audit management solution areas.
• Project management. Project management capabilities are utilized to manage project scheduling, activities and
work papers related to multiple GRC efforts, most notably audit and case management. These capabilities are also
important for IT project portfolio management and are becoming more useful for the management of regulatory
projects that stem from regulatory change management processes.