What’s at the core of GRC technology? According to Joe DeVita, Partner & GRC Technology Leader, PwC, successful GRC technology must align, automate and integrate business processes.
Joe’s perspective is based on an extensive background in audit and tax, ERP implementations, and over 20 years with PwC.
In the Tech Talk video interview “Overview of Technology for GRC,” Joe provides background and insights into GRC technology. He offers tips on how to get started. And if you’re looking for GRC technology benefits he offers a healthy list with many examples.
Begin With The Business Process
Joe explains that GRC technology evolved from four main business processes, “(1) IT risk and compliance, (2) internal audit, (3) Sarbanes-Oxley Act (SOX) and, (4) risk.” The developers of GRC technology found they could align the structure, controls and content in these business processes. Joe explains, “If you looked at some of the tools that are out there the longest, they’re now enterprise tools because they figured out how to get to the right content.”
You must evolve— both your business processes and your controls — as your business changes. “As you look at business processes and cycles, various controls get added and you can consolidate them into one control; but as business processes change those controls need to evolve. You need governance to make sure those changes occur with collaboration among all of the people who are leveraging that control.”
Bring Compliance and Risk Together
In the past, business process and compliance process automation have been disconnected. The vision is to closely align and integrate these processes. “You get more involvement from the business process owners which creates better automation, better evolution of those business processes over time, greater compliance initiatives, with less activity to ensure compliance.”
Increased Demand for Compliance Information
Vendors and customers are increasing the pressure. They’re asking businesses to answer policy and compliance questions such as:
- What is your ethics process?
- How do you ensure fair labor standards?
- What are your IT policies and processes?
- How do you manage ‘bring your own device’ and data security?
- Are you complying with the Foreign Corruption Practices Act (FCPA)?
Align, Automate, and Integrate
Joe discusses three key themes in the interview: alignment, automation, and integration.
Successful GRC technology aligns compliance and risk management. Whether compliance is driving risk management initiatives or risk management is driving compliance initiatives, both sides must be managed. The ability to manage, sustain and evolve these activities over time creates “a momentum of continuous improvement, continuous evolution of your risk and controls and your business process.”
Once you align risk and compliance process you can automate them. As Joe explains, compliance and risk initiatives can slow down business. Business process owners “get asked four or five times from various compliance initiatives within the organization.” With the right GRC technology, business process owners don’t need to be asked about compliance, the system automatically collects the data for them.
Automation lets you collect multiple compliance and risk initiative data into dashboards with key performance indicators. When the data shows a key performance indicator is out of range (signaling a risk to the business) a workflow is started to track, document and correct the issue.
“The more you can automate and integrate the more effective that initiative becomes with less activity.”— Joe DeVita, PwC
GRC Technology Tools
While alignment, automation and integration are the goal, many organizations are still working on how to align and automate compliance and risk initiatives. Full integration is still an aspiration.
Part of the issue is trying to determine which set of tools will get the most data elements to align. While Joe is open to the possibility of a single GRC technology tool he is skeptical. “I think most organizations are complex enough at a certain scale that they’re never going to have one tool to solve all their initiatives.”
More likely, says Joe is that GRC technology providers will consolidate and cloud-based and niche solutions will emerge.
No matter the tool set or platform, Joe predicts that in the future, “almost every corporate organization in the world is going to have a GRC tool to manage and report on its risk and compliance activity.“
How to Get Started with GRC Technology
While every organization is different, Joe recommends the following steps to get started with planning for and implementing GRC technology.
- Get your team in place – executives (CEO, CFO, CIO, CISO, CRO, CAO, CCO), audit committee and business process managers
- Ask for input from the business process owners – make sure you understand their objectives
- Find a solution that addresses your biggest risk – look for the “largest risk or the easiest place to automate and start to integrate”
- Consider IT risk as a starting point – it requires a limited number of resources, and addresses many vendor and customer policy and compliance questions
- Establish a governance committee and governance model – make sure everyone stays on the same page and follows a GRC technology roadmap
- Start with automation initiatives – automation will lead to opportunities for integration
Keep implementation project small – Joe cautions, “When you look at GRC implementations from 10 years ago, a lot of them didn’t get off the ground as much as they should have because they tried to do too much – they tried to boil the ocean.“ GRC technology leaders should focus on one or two areas to automate.
GRC Technology Benefits
GRC technology benefits range from easy to track and measure to harder to quantify to revenue generating. For example:
- Decrease reporting time frames
- Consistent documentation
- Decrease the number of people needed to complete initiatives
- Cut the costs of initiatives
- Reduced fines, audit restatements, and SOX failures
- Effectiveness of compliance spend
- Faster, more consistent responses to vendor risk assessment
- Customer confidence in validation of conflict-free supply chain
- More engaged business process owners
Business is more effective and sustainable with the alignment, automation, and integration of compliance and risk. As Joe says, when compliance and risk information “sits on spreadsheets and word documents and peoples heads, it’s very hard to ensure sustainable compliance over time.”
Learn More: Watch OCEG Tech Talks
Joe DeVita, Partner & GRC Technology Leader, PwC, offers many more insights in the Tech Talk “Overview of Technology for GRC.”
“Overview of Technology for GRC,” is part of OCEG’s Tech Talk Series. The online videos explore GRC technology through interviews with solution experts. Visit the full series listing for more information.