The acronym GRC stands for Governance, Risk, and Compliance and refers to an organization’s approach toward managing these processes. OCEG defines GRC as “the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity.” Let’s look at the three elements more closely:
Governance: With an increase in activism among shareholders and increased scrutiny from the regulatory bodies, corporate boards and executive teams are more focused on governance related issues than ever before. The governance process within an organization includes elements such as definition and communication of key business objectives, corporate control, key policies, enterprise risk management, regulatory and corporate compliance management and oversight (e.g., compliance with ethics and corporate policies as well as overall oversight of regulatory issues) and evaluating business performance through balanced scorecards, risk scorecards, and operational dashboards. A governance process integrates all these elements into a coherent process to drive corporate governance.
Risk Management: With the recent jump in regulatory mandates and changing market dynamics- both locally and globally, many organizations have started to identify and manage areas of risk in their business: whether it is financial, operational, IT, brand, or reputation related risk. These risks are no longer considered the sole responsibility of specialists – executives and the boards demand visibility into exposure and status so they can effectively implement the organization’s long-term strategies. As a result, companies are looking to systemically identify, measure, prioritize, and respond to all types of risk in the business, and then manage any exposure accordingly. A risk management process provides a strategic orientation for companies of all sizes in all geographies with a formal process to identify, measure, and manage risk. Risk insights can help organizations take strategic advantage of any market conditions.
Compliance: An initiative to comply with a regulation typically begins as a project as companies race to meet deadlines to comply with that regulation. These projects consume significant resources as meeting the deadline becomes the most important objective. However, compliance is not a one-time event - organizations realize that they need to make it into a repeatable process, so that they can continue to sustain compliance with that regulation at a lower cost than for the first deadline and effectively manage new, updated and changed compliance requirements. When an organization is dealing with multiple regulations at the same time, a streamlined process of managing compliance with each of these initiatives is critical, or else, costs can spiral out of control and the risk of non-compliance increases. The compliance process enables organizations to make compliance repeatable and hence enables them to sustain it on an ongoing basis at a lower cost.
Governance, Risk, and Compliance Guideline
In order to articulate what makes a solution a GRC solution, we must first lay out a GRC solution framework. This framework identifies a comprehensive set of capabilities of a GRC solution and provides a benchmark to evaluate any solution against it and assess if it is a GRC solution or a point solution.
Capabilities of the GRC solution include:
A successful GRC program integrates into the company culture, ethics, and principles. Compliance isn’t just about rules; it is about behavior. Professionals at various levels of the enterprise, like chief risk and compliance officer, have become an important nexus of GRC insight across the organization. Let us give a look at few executive roles that are usually considered by organization to take up the challenge to maintain world-class GRC program across the organization:
Chief Financial Officer
Financial reporting, performance management, budgeting, and other financial processes provide the CFO detailed insight into the workings of virtually every business, division and department within the company. Further, as the advantages and potential pitfalls of managing the financial processes and enterprise compliance are quite similar, it follows that the CFO could provide leadership in the area of company-wide financial compliance and SOX certification.
Chief Compliance Officer
Compliance Managers are entrusted with ensuring that the organization has the processes and controls to meet the requirements imposed by governmental bodies, regulators, industry mandates like Anti-Money Laundering, Foreign Corrupt Practices Act, cGMP, GLBA or internal policies. However, as the multiple compliance initiatives become more intertwined from regulatory and organizational perspectives, Chief Compliance Officers are also focusing on effective rationalization of controls to provide a clear, unambiguous process for compliance management and to deliver a single point of reference for the organization.
Chief Risk Officer
Risk Managers’ role has evolved from that of managing a predetermined set of risk exposures to identifying core business areas where the company should be willing to retain risks to seize growth opportunities and generate returns for investors. This ties risk management to business performance and changes the risk management from an exclusive centralized function to a federated, top-down approach aligned centrally with business objectives and reporting and assessments are distributed to lines of business for ownership, execution and accountability. By managing risk appetite and response to risks, Chief Risk Officers drive organizational behavior today.
Chief Audit Officer
Audit Managers are accountable for monitoring risks and ensure compliance across organizational silos and the role is evolving into an independent and horizontal function. This requires a common framework for all types of audits – financial, risk, operations, internal, suppliers, and compliance –such that auditing priorities are determined by an enterprise-level risk-based approach and not departmental and tactical imperatives.
Chief Quality Officer
Combination of product proliferation, outsourced manufacturing operations, a stringent regulatory environment and rigorous customer requirements is driving Quality Managers to proactively manage their quality processes. Quality Managers are leveraging best practices that call for integrated processes for compliance with internal quality standards and policies and industry mandates like TS 16949, ISO 13485, and ISO 22000, Six Sigma, and TQM.
Chief Information Officer
With IT governance and compliance process becoming inclusive of multiple internal and external stakeholders, organizations are increasingly adopting an integrated IT governance framework, which ensures information and systems integrity, data security and privacy, and compliance to quality mandates like COBIT, ISO 17799/27002, ITIL, SAS 70, etc.
Chief Legal Officer
Cultivating a culture of compliance and maintaining a high level of integrity among employees are growing challenges today due to greater regulatory oversight and investor activism. Legal Counsels help employee employees to adopt policies and procedures, follow the code of ethics, and adhere to principles of corporate governance.
Chief HR Officer
Providing guidelines, monitoring processes and providing constant access to information, rigorous training and awareness programs on compliance and ethics is proving essential to ensure effective implementation of governance programs. Most HR managers provide an integrated training platform to ensure compliance with HR policies and procedures, compliance with governmental health and safety regulations, and compliance training and certification.
Chief Sustainability Officer
Top sustainability executives are responsible for overseeing all environmental, social, and governance aspects of organizations. This includes encouraging green practices, managing environmental impact, and promoting diversity, equity and inclusion in workforce, among others. With increasing regulatory focus on ESG, sustainability officers today are also required to stay on top of regulations, assess and report ESG posture by leveraging various ESG frameworks such as GRI, SASB, and TCFD, and ensure compliance.
Chief Sourcing Officer
Predicting and preventing third-party risks is critical for today’s dynamic organizations that are highly dependent on their supplier ecosystem for business-critical operations. Chief sourcing officers are tasked with monitoring and mitigating new and existing risks from suppliers, contain costs, and accelerate business performance.
Many organizations find themselves managing their governance, risk, and compliance initiatives in silos - each area managed separately even if reporting needs overlap. Even though each of these business functions individually follow the governance, risk, and compliance process outlined above, when organizations deploy point solutions to enable and automate these processes, they ended up with dozens of such systems to manage individual governance, risk, and compliance processes, each operating in its own silo.
Several organizations find themselves in this situation today. However, they are quickly finding that as the multiple risk and compliance initiatives become more intertwined with regulatory and organizational perspectives, multiple systems cause confusion due to duplicative and contradictory processes and documentation. In addition, the redundancy of work, as well as sheer expense of maintaining multiple point software solutions cause the cost of compliance to spiral out of control. At the same time, reliance on multiple point solutions also increases cyber risk exposure of organizations.
By taking an integrated GRC approach and deploying a single system to manage the multiple governance, risk, and compliance initiatives across the organization, the issues listed above can be easily addressed. Such an approach can:
According to a recent note from Gartner, “For Sarbanes-Oxley, we put the burden on a global Bank at about 0.2 percent to 0.4 percent on EBITDA. So if the Securities and Exchange Commission is one of 370 regulators for a global bank - to approach each regulatory program individually would eat up all the profits. Lots of companies have separate compliance programs for every regulatory regime. As regulatory regimes proliferate, a comprehensive compliance program keeps regulations from depressing earnings”.
An integrated GRC approach enables an organization to integrate and streamline these individual compliance initiatives, so it can significantly reduce the cost of compliance.
It is critical that a GRC solution must be connected and be able to address a wide range of compliance, risk management and internal audit initiatives so that an organization can leverage it to deploy a consistent framework across the enterprise. Many vendors window dress their point solution by re-labeling it as a GRC solution or adding support for a few additional regulations to claim multi-regulatory label.
In this section, we will discuss how MetricStream supports the various GRC initiatives within the industry - whether they are enterprise GRC initiatives or operational GRC initiatives.
Enterprise Risk Management (ERM)/Operational Risk Management (ORM)
Risk within an enterprise can come from various sources including mergers/acquisitions requiring extensive integration in a business unit, new regulations that may be subject to varying interpretation or entry of a company into a new market with substantial exposure and return. By implementing a risk management framework, organizations can reduce the likelihood of unexpected disruptive business events in their environment. As a result, they can increase their operating margins, reduce earnings volatility, enhance process efficiency, improve regulatory compliance and optimize cash flow reserves.
MetricStream enables organizations to identify, assess, quantify, monitor and manage their enterprise and operational risks in an integrated manner. It brings together all risk management related data - a reusable library of risks and their corresponding controls and assessments; results from individual assessments; key risk indicators; events such as losses and near-misses; issues and remediation plans - in a single solution. Its workflow capabilities streamline the risk assessment process. Once risk has been assessed, it enables organizations to prioritize using risk heat maps and make strategic decisions on risk response.
Regulatory and Corporate Compliance
Organizations across sectors are required to operate within the regulatory perimeter – in compliance with multiple government regulations and reliability standards. Establishing an effective compliance program for ensuring regulatory and corporate compliance is no longer just an option for organizations; it is a necessity. The purpose of a compliance program is to detect, protect, and prevent misconduct while promoting ethical and legal responsibilities.
MetricStream provides comprehensive and scalable Regulatory Compliance and Policy Management software solutions designed to help organizations manage their compliance at the enterprise level.
MetricStream Regulatory Compliance and Policy Management solutions provide a common framework and a federated approach to manage all policies and compliance requirements including FERC, NERC, OFAC, regional standards, and more. The products allow organizations to define and maintain a centralized structure of the overall compliance and control hierarchy, including processes and assets in scope, risks for the processes and assets, controls to address the risks and mechanism to assess the controls. It supports the management of associated policies and procedures, reporting requirements and filing templates, schedules for various regulations, automated testing and certification.
IT Risk and Compliance
In most companies, key operational processes are managed by Information Technology systems. An IT organization, with well-defined internal controls, enables companies to identify and manage their IT related risks. Ability to manage and contain such risks is critical to ensuring compliance with regulations and mandates such as Sarbanes-Oxley Act (SOx), Gramm-Leach Bliley Act (GLBA), and Health Insurance Portability and Accountability Act (HIPAA).
Most organizations regularly test the internal controls within their IT organization to ensure secure and continuous operation of their entire information systems infrastructure. Such controls reduce IT related risks and form the basis for good IT governance. The IT Auditing and Compliance process is inherently complex as it involves multiple internal and external stakeholders. Existing audit infrastructures have evolved from the bottom up and organizations lack a single system of record preventing top-down visibility and control.
MetricStream provides purpose-built software solutions for IT risk and compliance. The products ensure proactive approach to IT risk management and sustained compliance of IT controls at significantly lower costs. They enable organizations to efficiently identify IT and cyber risks, define the controls they want to test, maintain a repository of tests, perform assessments, identify issues and drive the remediation process. Cyber risk quantification capabilities enable CISOs and security teams to accurately express cyber risk exposure in monetary terms and better communicate the organizational cyber risk posture to the stakeholders.
Third-Party Risk Management
Business models around the world are changing, and as they do, third-party ecosystems are growing larger and more complex. Many organizations find it challenging to manage these growing numbers of third parties using a traditional, manual, or siloed approach. They are also realizing that monitoring third-party performance and risk across disparate internal systems and business units can be a costly and time-consuming exercise. To effectively manage the risks from these vast ecosystems, and to strengthen third-party quality and performance, organizations need a robust third-party risk management program.
MetricStream Third-Party Risk Management automates and streamlines workflows across the extended enterprise, including third as well as fourth parties. This includes third-party evaluation, due diligence, risk rating, selection, onboarding, monitoring, contract management, and more. Essentially, it enables organizations to make informed choices about their suppliers, in keeping with regulations and compliance requirements. It also helps in defining ongoing monitoring activities based on supplier criticality.
Business Continuity Management
In today’s fast-moving and uncertain business environment, organizations need to be adaptable, agile, operationally aware, and tactically capable of responding to any business disruption. It is crucial to establish robust business continuity and disaster recovery capabilities that can, in the event of a crisis, help the business protect its operations, finances, reputation, and employees.
MetricStream Business Continuity Management helps establish a centralized and integrated approach to manage BCM activities with capabilities to streamline workflows and automate metric computations. It provides a flexible, integrated, and robust platform to meet multiple BCM needs, including business continuity planning, risk assessments, disaster tracking, and recovery action initiation and management. Users can proactively plan crises responses, periodically test recovery procedures, enable rapid recovery from disruptive incidents affecting business operations resources, and document the associated risks.
Threat and Vulnerability
Cybersecurity is a top priority for every CISO. As organizations increasingly pivot towards cloud and mobility solutions, IT and cyber risks are amplifying with the ever-increasing threat surface areas and vulnerabilities. To protect organizations, IT and information security teams need to be able to identify critical assets and adopt a risk-based approach towards analyzing and resolving potential threats and vulnerabilities.
MetricStream Threat and Vulnerability Management enables organizations to manage information security threats and vulnerabilities in a systematic and integrated manner. A built-in integration engine imports and consolidates threat and vulnerability information from various sources, thereby providing a unified view of the data. In addition, a centralized repository helps map threat and vulnerability data to assets and other business entities, enabling you to clearly visualize the organizational information security program library (assets, asset classes, areas of compliance, and their relationships).
Most companies run operations in accordance with government regulations, industry mandates and corporate governance standards. As a result, they are required to conduct regular audits to ensure compliance. With increasing business complexity and the rising number and types of audits companies need to conduct, audit managers are realizing that point-solutions and spreadsheet-based systems are not suited for managing audit programs.
MetricStream Internal Audit Management provides the building blocks for streamlining audit management process in organizations. It provides the flexibility to support any type of audits, simple or complex, internal and external and for any regulation or function. It enables centralized control of audit resources and planning to support auditing as a corporate function. It provides comprehensive scheduling assessment and tabulation capabilities. Powerful reporting and analytics on audit data are made easily accessible. Advanced capabilities like built-in workflows, email based notifications and alerts, risk assessment methodologies and offline functionality for conducting audits at remote field sites allow organizations to implement the industry best practices for efficient audit execution.
Case and Incident Management
Regulatory bodies and governments across the world are increasingly introducing regulations to protect customers and other stakeholders from adverse incidents. Whether they are human errors, or fraud, or even incidents arising from GRC processes, organizations have to pay the price, just as much as the perpetrator of the incident. Therefore, it is critical to have a robust case and incident management system that can identify and resolve such incidents in time, while providing sufficient insights to ensure that the incident does not reoccur.
That said, an incident management system by itself cannot prevent adverse events. But when supported by robust risk, compliance and audit processes and technology, it can make all the difference to the success or failure of one’s GRC strategy.
MetricStream Case and Incident Management enable organizations to establish and follow consistent procedures for incident capture, exception logging, loss event tracking, task management and status reporting. Built on a centralized platform, the incident management solution extends across the enterprise, consolidating all incidents in a single point of reference. It also streamlines and standardizes the development and implementation of enterprise-wide remediation and corrective action plans.
MetricStream, the global SaaS (Software as a Service) leader of Integrated Risk Management (IRM) and GRC solutions, empowers organizations to thrive on risk by accelerating growth via risk-aware decisions. MetricStream enterprise software solutions help organizations across diverse industries such as Banking, Insurance, Automotive, Food, Pharmaceuticals, Manufacturing, and Electronics implement a connected approach to governance, risk management, and compliance processes across the extended enterprise. MetricStream ConnectedGRC and three product lines – BusinessGRC, CyberGRC, and ESGRC – are based on a single, scalable platform that supports organizations on their GRC journey.
MetricStream delivers the most comprehensive mapping of the GRC framework:
Here are some examples of how MetricStream integrated GRC solution helped companies across industries effectively manage multiple Governance, Risk and compliance business initiatives:
Growing regulatory environment, higher business complexity and increased focus on accountability has led enterprise to pursue risk and compliance initiatives across the organization. However, these initiatives are uncoordinated in an era when risks are interdependent and controls are shared, leading to gross inefficiency, duplication of efforts and a silo view of the world. GRC systems through control, definition, enforcement, and monitoring have the ability to coordinate and integrate these initiatives and address the above mentioned issues. MetricStream provides the most comprehensive GRC solution in the industry today.
With a comprehensive set of GRC capabilities, support for a very broad set of compliance initiatives ranging from ethics and options compliance to SOX or internal audit to cGMP or ISO 9000, supplemented with rich industry content from ComplianceOnline.com - all built on an enterprise class platform make MetricStream the most compelling GRC solution in the industry today. For additional information, visit us at: www.metricstream.com.