1. Learn how to manage risks and compliance.
Managing business risk and achieving regulatory compliance are among the greatest challenges that enterprises face. There is increasing pressure to comply with evolving legislation, mandates, standards, and regulations designed to protect against an array of risks that span different industries, disciplines, governments, and geographies.
Yet in many organizations, compliance and risk management have been treated as silos of responsibility, supported by reactive point solutions that can introduce new cost burdens and complexity. Constant fire drills, regulatory pressure, organizational anxiety, and even outright confusion are not uncommon. Despite large investments in this area, executives believe their organizations have inadequately addressed the processes and systems dealing with risk, compliance, and security.
Top challenges in risk management are
- Prioritizing risks
- Defining control objectives and control activities
- Measuring potential risks and control efficiency
- Constantly being in a reactive mode when dealing with risk
2. Become “risk-adept” rather than “risk-averse."
Take a results-oriented, execution-driven approach to become “risk-adept” rather than “risk-averse.”
A best-leading-industry approach has these elements:
- Use strategies and processes that drive value (access, execute, monitor, remediate and report)
- Establish effective processes integrated with automated workflows to make sure nothing important is skipped
- Maintain a library of tested risk indicators and control activities
- Remain current with new and emerging risk factors and compliance issues
- Leverage insights about leading practices from many industries
The approach should be designed to help your organization better identify, understand, and manage the dynamic interrelationships between risk and compliance and incorporate those disciplines into daily business activities.
Build up a global, unified risk and compliance framework that can be vertically tailored to your specific needs, allowing your organization to assert more control over complex and ever-changing risk and compliance dynamics. With this approach, you can achieve greater levels of compliance and better manage risk at less cost with degrees of efficiency and precision not possible with a traditional siloed approach.
3. EGRC comprises strategy, business process, and technology.
An enterprise-wide governance, risk, and compliance implementation (EGRC) comprises strategy, business process, and technology to give your organization an enterprise-scale platform configurable to address a host of regulatory requirements, industry standards, and controls and internal policies. It should help managers and auditors assess the potential effect of threats and vulnerabilities on compliance—including the risk of noncompliance itself—by covering:
- Regulatory compliance: providing a comprehensive framework for managing Sarbanes-Oxley, Japanese Sarbanes-Oxley, Basel II, Markets in Financial Instruments Directive, OMB Circular A-123, and other compliance initiatives.
- Internal policies and procedures: configuring the solution to your organization’s specific needs.
- Enterprise risk management: assessing and managing business risks using key risk indicators that measure risk likelihood and effect, then translates those effects into control objectives and monitors effectiveness through compliance.
For companies based in the United States, the EGRC solution should align with the Public Company Accounting Oversight Board’s Auditing Standard No. 5, which encourages a risk-based approach to compliance under Sarbanes-Oxley Section 404. It gives public companies greater flexibility to focus compliance initiatives on areas that present the greatest degree of risk, such as financial-closing processes or fraud-management controls, rather than on myriad Sarbanes-Oxley-based controls without regard to the importance to their business.
4. EGRC is aware of end-users needs.
Based on our experience, the primary end-user wants to:
- Store, access, search, track, and manage risk and compliance data, e.g., by a survey functionality that helps users in making a realistic assessment of their current state and also chart out the course of action for their risk or compliance program.
- Automate workflow processes and information routing.
- Prioritize, assess, and manage remediation of control deficiencies, e.g., by entering risk, KRI, and compliance data into libraries or link attributes through a hierarchy.
- Collaborate atop a familiar standards-based platform.
- Monitor risk and compliance with metrics, alerts, and analytics, e.g., by reviewing the status of risk and compliance metrics.
5. SharePoint offers features and capabilities for EGRC.
Why? Here are some reasons:
- Rapidly acceptable. The familiar Microsoft “look and feel” increases the speed of adoption and reduces users’ resistance to change, while implementing standard libraries for COSO, CoBIT, ISO, and ITL
- Configurable versus customizable. Taking advantage of the extensive and flexible software functionality of Microsoft’s applications enables business requirements to be met through configuration instead of the development of custom code. (Best examples: versioning, audit logging, multistage workflow, survey, search, reporting, and dashboard functions.)
- Practical and cost-efficient. Most organizations have already standardized on Microsoft and have most of the necessary applications to run the solution, thereby reducing acquisition costs and freeing up resources for more value-added activities
6. Tips for implementing an EGRC platform.
In order to adequately address ongoing business risk and compliance, organizations need a transparent view of their enterprise. A leading-edge approach has these elements:
- Use strategies, processes, and technologies to manage risk and compliance enterprise-wide proactively.
- Use automated workflows to increase efficiency and reliability.
- Provide a comprehensive enterprise risk and compliance management framework.
- Build a library of identifiable risk indicators and control activities.
- Stay current with new and emerging risk factors and compliance issues.
- Leverage insights about leading practices from many industries.
- Create a “one size fits one” risk-based compliance solution that will drive business value and reduce costs and complexities.
7. Realize the benefits of integrated risk and compliance management.
By introducing an EGRC solution, you will realize the following benefits:
- Reduce costs
- Reduce audit fees, fines, and penalties through integrated systems, controls, processes and audit trails
- Save internal costs and gain efficiency by redeploying resources from manual and duplicative controls
- Reduce Complexity
- Replace silos of risk and compliance activities with an overarching, integrated view
- Reduce risk and compliance complexity by integrating and de-conflicting risk requirements
- Increase Business Value
- Align a comprehensive risk strategy with specific execution controls through transparent processes and technology
- Make better, informed decisions with forward visibility into risk and compliance through data transparency and real-time reporting
- Improve risk and compliance management with a solid governance structure
8. What you need is a Governance Model.
We believe there are four key competencies in a governance model: 1) guiding/strategizing, 2) designing/coordinating, 3) executing, and 4) monitoring.
- A Steering Committee with executive sponsors will guide the company by defining a policy for EGRC and aligning it with the Information Management policy.
- Project teams will initially design and coordinate processes to enable each business to fulfill their execution obligations for EGRC consistently, and Working Groups will monitor these for continuous improvement.
- Each business will execute and enforce the policies and processes for EGRC.
- Internal Audit will audit and monitor adherence to the policies and processes as part of routine audits of EGRC.