Transforming risk lens with GRC platforms (2)

A typical GRC Functional model follows this pattern. Both manual and automated input feeds into the content management platform that generates the desired output-communication and integration. Right on top you have the reporting and analytics engine also feeding into the content management that drives workflow management right across the enterprise.

The basic functional components as contained in the literature include:

•  Data modeling – Data modeling supports the establishment of a consolidated GRC framework and entity hierarchy within which detailed business records are managed. This core component is used across all GRC platform. The flexibility of the data modeling architecture is essential in integrated GRC deployments.

•  Content management – This component is basically applicable to individual business records. Content management supports authoring, rich-text editing, cross-referencing, tagging, workspace/file collaboration with control of version, change history or edit;

• Project management – Project management capabilities are utilized to manage project schedules, activities and work papers related to multiple GRC efforts, most notably audit and case management. These capabilities are very important when it comes to IT project portfolio management and are becoming more useful for the management of regulatory projects.

• Workflow management – This component is crucial because it automates responsibility and facilitates enterprise communication, collaboration, notification, accountability and assurance, and review. It is used across all GRC domains; and

• Regulatory change management: This basically incorporates external regulatory feeds from multiple content providers in order to be updated with the latest change in the regulations that take place in this dynamic business world.

Additional components that are central for supporting the core architecture are:

• Configuration – Configurability is essential to meeting unique customer requirements related to the data model, data input and visualization, and reporting;

• Data integration – GRC platforms mostly provide seamless integration across third-party systems via a web-based application program interface (API) as well as automated common-data-format uploads;

• Data security – GRC platform vendors typically offer a rule-based security architecture that supports enterprise, entity, record and field-level security;

• Contextualization – When there is integration in GRC implementation, the ability to provide different navigation and input screens become very important for organizations because they are likely to use a more intuitive platform; and

• Performance – The organization must start evaluating architecture performance by establishing performance standards based on the composition of users. Many GRC platforms lack “petulance” even when not under heavy load. Knowing the vendor’s largest implementation and comparing it with the size of yours will help ensure that the platform meets your load requirements.

There can and should be a central core GRC platform that connects the fabric of GRC processes, information and other technologies together across the organization. This architecture is the hub of GRC management and requires that it be able to integrate and connect with a variety of different systems and enterprise applications to deliver on GRC.

Approaching GRC in a collaborative inter-departmental strategy supported by a common information and technology architecture has delivered efficiency, effectiveness, and agility for many organizations. A portion of this success is selecting the correct information and technology architecture and platform to enable Enterprise GRC.

The range of platforms for Enterprise GRC has grown and evolved over the past decades. Where there used to be just a few solutions to choose from there are now over fifty with varying capabilities and approaches. 

These platforms offer varying breadth and depth of capabilities, and certainly no one offers a one size fits all solution. It has become a complex segment of the GRC market to navigate, understand, and find the solution(s) that is the perfect fit for an organization.

Let me share with you this important information provided by Onspring Technologies:

As you consider the different GRC platforms and solutions available in the market, make sure to engage your points of contact and get as many details about the products as possible. Once you sort through the RFP responses and select the finalists for your organization’s new platform, look to see how many of the contenders have answers and solutions that include the following items.

• Essential Questions. Ask the prospective companies about their GRC software:

o  Testing. How easily can you test and gather information within the platform?

o  How do you handle performance issues?

• Customization.

o How easy is it to customize the platform?

•  Best Feature.

o What do the vendor’s customers consider the best, most valued part of the platform?

•  Priority.

o What solutions are you looking to implement first (Audit Management, Policy Management, Risk Management, etc.)?

• Efficiencies.

o What are some good examples of time-saving operations commonly done in the platform?

Special Features of Top-Performing Platforms.

• Consider these special attributes that only a handful of solutions have:

o No-code platform. Simplified adaptation of your workflow without development involvement.

o Surveys. The ability to collect and share information from non-users.

o Integration. Can your product integrate with external systems (other tools/platforms)?

o Quick edit changes. The ability to edit from a queue without entering the full record, including bulk editing.

o Create new applications. Easily customize within the platform without using custom code.

o Cloud-based. Automatic system updates—no worrying about backups or outdated versions.

o Process automation. The tool auto-creates records based on changes to other records.

Emmanuel Moore ABOLO

Dr. Emmanuel Moore ABOLO is the President, Institute for  Governance, Risk Management & Compliance Professionals/GMD, The Risk Management Academy Limited.