The Case for Converging Governance, Risk and Compliance

Regulatory compliance is now a burning business issue with major IT implications. The appointment of a compliance manager is becoming commonplace—and yet compliance, like risk (for which there is often a risk manager), is part and parcel of governance—and needs to be thought of as such.

Typically, good governance is a key responsibility addressed at board level and policies to achieve this then filter down through the organisation. Risk assessment and the consequent risk reduction measures are part of this, with regulatory and statutory compliance needed also to minimise company risk and achieve good governance. (Security comes under this umbrella too and is a major subject in its own right, but in this context it is often considered part of the risk reduction function).

Many organisations who think of governance, risk and compliance (GRC) functions separately, and have different persons handling them, are missing a trick I think (despite over-hyping of GRC by some of the consultancies). There are some important benefits in considering them all as aspects of the same issue. A few software companies have realised this G-R-C convergence, causing them to change their focus so that there is now an emerging GRC IT sector.

Perhaps the most advanced in the UK in terms of functionality is Peapod, who I referred to last month, which has brought together several third party products addressing different parts of the need. However, as you would expect, the guys in the US are also on the case. So I will focus on one US-based vendor's offering which also illustrates the advantages of looking at this holistically. The company is Polivec (from ‘policy vector') which, unlike Peapod, is growing a mainly in-house GRC solution.

Polivec's approach starts with a ‘view from the top’ of the enterprise. From this vantage point the compliance, risk or security manager—or better still the overall ‘governance guru’—can view the whole organisation, its people and processes. The information is all accessible in real-time from this dashboard so it can be acted upon quickly.

So an obvious first benefit is that governance fragmentation is reduced because it brings the previously disparate strands together. Resulting advantages include avoiding the pitfalls of duplicating a function, or missing it altogether by falling between two disciplines, and eliminating communication gaps between people in the separated functions. Sometimes those developing, say, the compliance rules do not fully understand the business impact of doing this—and this needs to be factored in. Lines of accountability issues also exist which can be better ironed out.

Obviously, this is not all down to the software, but this very approach will act as a catalyst to promote a better organisation GRC structure.

Whether it is the ‘G’, the ‘R’ or the ‘C’, the need is always to produce policies, with all the procedure steps defined. So a central repository contains all the policies, along with regulations and standards which can in turn be broken down and linked to specific policies as appropriate.

What goes with this, and is in my view a must for this type of software, is an engine that maps policies to company requirements, including regulations. Polivec's solution has an editor which does the linking using drag-and-drop capabilities.

The rules are held hierarchically and, as changes are made, there is a progression from draft to approved and active. In fact the whole cycle is also audited right into when it becomes part of the live workflow. This is also important to compliance, since the outside assessors who check for businesses' compliance are especially interested in evidence of best practice and procedures as with the resulting statistics.

"Effectively, this puts the policy in the driver's seat,” Polivec's VP of marketing Tom Grubb told me.

Internal procedures, including manual activities, are separately captured—and the software ‘technical manager’ can link to data anywhere in the flow. But there is a gap. Collecting data is not the same as being compliant with regulations; doing that does not make you compliant.

Grubb added that, while the tool was pretty straightforward to use and, once running, fairly self-sufficient, the challenge was in interpreting the needs. In fact, creating and maintaining policies is hard, however much software may help. There are inside and outside policies, they need to be written properly and then kept up-to-date with every change that occurs. Compliance managers also know that legislation and regulatory compliance issues—and headaches—multiply with multi-national operations, and Grubb described this situation as “the wild west” right now.

The Polivec software can then be used to ensure the appropriate parts of each policy are distributed to all applicable employees, with policy enforcement criteria applied at any company level. In this way, new procedures can be implemented very rapidly.

Then again, an employee receiving a policy is not the same as him or her abiding by it in practice. So the software also includes employee awareness quizzes to capture their knowledge and assess what extra training is needed; this encourages internal compliance and good practice.

All of this is about simplified and better management, and reduced admin workload, and there are a few bells and whistles such as ‘what-if’ risk analysis for fine-tuning. The market has, for a long time, had a number of point solutions which help with some of these aspects but, so far, very few indeed take a full GRC perspective as I have described here.

However, what no software yet solves—and maybe never will completely—is how to turn a policy into its technical implementation automatically; for instance, taking a general high-level security policy and turning it into IT functionality wherever needed say, for application access.

In this context, the Polivec software does not deal with classifying computer-stored information to assist in automating some policies and helping them become more granular. Other software may do that—which illustrates that third party elements will inevitably be needed to arrive at the optimum overall GRC solution. Despite this, using software that supports implementation of GRC in a holistic way will help the business get a handle on the huge GRC task, providing clarity and easing the total burden.