|
This two-part series is aimed at business executives, compliance professionals, auditors, security professionals, process-improvement champions and program office leaders. It will also interest consultants across a wide range of governance, risk and compliance (GRC) and other business and technology specialty areas, whether they work as freelancers or for small, medium-sized, large or global mega-consultancies. Help-desk and technical support-center professionals will also benefit by readying their organizations for the looming GRC-support crisis at the doorsteps of companies worldwide. Support-desk roles and responsibilities lie at the heart of what’s covered in this article and the one coming next quarter.
Part One: Executive Summary
This article defines the GRC support ecosystem and tells you why it’s an inevitable trend. I’ll compare supplychain ecosystems to GRC support-chain ecosystems and define GRC support infrastructure concepts and components, such as the GRC program office, help desk, center of excellence and enabling technology. These organizational entities and support-resource depots are starting points that must be in place to move your company forward. They provide measurable value and the side benefit of helping overcome employee resistance to business change. Ultimately, when your GRC support-system core is in place, you’ll have positioned your company for business growth and improvement. This strategic value culminates with the opportunity to achieve significant net margin increases of 6 percent to 10 percent. These are not only reasonable goals, they’re extremely compelling targets for today’s business leaders. Affordable enabling technology is now available to help you get going quickly, and I’ll explore this, too.
In the second half of this series, I’ll focus on the work practices that drive the GRC support ecosystem and link its components into a virtual support chain. I’ll outline two newly emerging good-practice frameworks that apply to companies of all sizes and industry sectors. I’ll introduce the following proprietary frameworks: the Information Technology Infrastructure Library from the United Kingdom’s Office of Government Commerce, and the Capability Maturity Model and Integration framework for services from Carnegie Mellon’s Software Engineering Institute.
Supply-Chain Concept
In the 1980s and ’90s there was a strong interest in how supply (or value) chains served various industries. Supply-chain information, materiel, alerts and flags from external companies helped a company increase Overall cash throughput. As companies became more adept, they could define business rules and communication processes and deploy them across the entire supply chain. Additionally, information sharing helped make demand forecasts and actual sales planning significantly more accurate (i.e., collaborative forecasting and replenishment). All of these supply-chain activities helped quicken communication from downstream on the supply chain where consumers purchased goods (demand pull), back upstream to the manufacturers that made up the chain. Production output could then be adjusted in real time according to timely information updates that each company in the chain received.
Supply-chain thinking culminated in an understanding that companies exist in one or more supply-chain ecosystems where the value-chain components collaborate and share information to benefit the entire ecosystem of companies forming the chain. Today, these concepts are alive and well. Supply-chain understanding has been validated, and we now see supply chains competing with one another for global market share. Each chain is an ecosystem of various-sized suppliers.
The GRC Support Ecosystem—A Web of Support Chains
Supply-chain understanding is now being applied to the GRC world, but with the focus on GRC support. Whether a company is large or small, expert guidance is needed for companies to survive in today’s business environment. It’s staggering in how many forms and from how many internal and external sources GRC guidance and support comes. Even more eye opening is the monumental list of topics of support a company must tap into and be adept at managing. The list “GRC Topics Necessitating a Support Ecosystem” (right) gives you some idea of their wide range. It provides some examples of industry regulations, good-practice standards, technologies and other specialized areas that require expert guidance or support.
In addition to speaking with GRC support personnel when needed, the output of the GRC support ecosystem is knowledge in the form of functional and enterprise requirements and other business-rule guidance. The ecosystem can also support your company with a range of data generated from software-as-a-service (SaaS) applications subscribed to on a month-to-month basis.
Now let’s examine an example of why GRC support is mission-critical and vital to a company’s long-term success. A company’s GRC-support infrastructure is undergoing huge changes based on the hailstorm of new threats, laws, standards, regulations, changes to existing regulations, technologies, etc. Each topic in the list below requires some level of formal, specialized support, meaning someone with the necessary skills to oversee the topic must be assigned to it and held accountable. If GRC support resources exist within your company, the key questions are: Where do we have coverage? Where do we have little or no coverage? And to what extent do those who manage these areas have the time, authority and skills to manage effectively? For most companies, support coverage is extremely spotty. Additionally, for the large majority of companies, senior compliance or IT professionals are juggling myriad topics informally and part time. More junior employees are not being hired and trained as quickly as needed, so experienced workers are often over-taxed. This is a real risk that must be addressed quickly.
You now have an understanding of just how troublesome and risky the lack of quality, formalized GRC support might be within your company’s four walls. An equally high risk is when a company hasn’t identified affordable, reliable third-party resources that can support its onsite personnel before a crisis happens. You must connect what scarce internal resources your organization has with external islands of support. This, in essence, forms your company’s virtual GRC support chain. When properly configured, you have a virtual support ecosystem that gives you proper GRC domain coverage and stays current on your company’s evolving circumstances and regulatory landscape.
Internal GRC Support
A GRC support infrastructure is composed of links, or support entities. The goal is to connect these links, like a chain, with a company’s global program management office, help desk, projects and centers of excellence. We align the support with the needs of business and IT professionals who’ll consume the support resources. We must make sure these internal support resources are aware of requests, cases, problems and other aspects that fall into their areas of concern. Then when we escalate an issue, we can rapidly notify those internal portions of the support infrastructure that must be informed or take action.
The core of a company’s internal GRC support infrastructure starts with the GRC program management office (PMO). A PMO oversees a portfolio of GRC projects and manages a portfolio of enterprise risks. This office coordinates milestones and events and can help a company institutionalize important practices such as process modeling. The PMO can spearhead process integration, too—that’s a great way to institutionalize business and IT practices that are being rolled out. There’s a growing need for GRC program offices to manage compliance rules and requirements. Using enterprise-class data repositories, a company can drive business rule and process automation of internal controls. Some leading companies and federal agencies are already moving in this direction.
Besides managing projects, a PMO can oversee the best practices that are being explored or rolled out. We often use the term “center of excellence” (COE) for any individual or group assigned to research a new practice or technology. For instance, let’s say we assign one IT auditor and two IT professionals to assess encryption technology. They become experts on the subject. These COE support resources may be responsible for rolling out internal education once a vendor and product are recommended and approved for purchase. Ideally, a COE consists of at least two people and, given the need, a COE could have its own help desk to enable it to provide critical services to the enterprise. Alternatively, it could use the help desk that’s managed and deployed by the PMO. Today’s help-desk technology lets companies do this extremely inexpensively.
A COE can also be deployed that relates to a best-practice framework such as the Committee of Sponsoring Organizations of the Treadway Commission, Control Objectives for Information and Related Technology or Generally Accepted IT principles; or a specific regulation such as Basel II or Sarbanes-Oxley. That may be counterintuitive when dealing with the larger compliance picture, but companies have the option to deploy COEs according to their own needs.
External GRC Support
Once we integrate our internal support infrastructure with external support resources, we have the makings of a GRC support ecosystem. We use the word “ecosystem” to describe this virtual support environment because we must plan on enabling the support-resource links with technology and practices that will greatly boost the overall levels of communication, control, coordination and collaboration. I’ll detail these practices in the second article of this series.
External support links range in size from micro-support entities (individuals or small teams) to large, global consultancies. The external ecosystem also encompasses external auditors, standards bodies and vendors of technology-based solutions. The ecosystem should span the globe based on the countries in which the company does business, and should provide coverage across the myriad GRC topics that are critical to the company’s future. Once the internal and external support resources are identified, validated and put under service-level agreements, we need to turn to enabling technology to help us connect the GRC support resources into an ecosystem.
Once this is done, the support resources become interconnected over time and can interact with one another for your company’s benefit. This trend is just starting and is expected to grow. For instance, if you’re working with an IT audit firm and you need to exchange information with a certified fraud examiner, you can do so on a technology and data level as well as on the process level. The process may also support other resources related to e-discovery of internal e-mails or litigation support.
Trackback(0)
Comments 
Write comment
 |
IT Compliance Articles 
TrackBack URI for this entry
Subscribe to this comment's feed