If there's one thing that's consistent about the world of GRC, it's that compliance requirements are always changing...
-- and if a compliance mandate itself doesn't change, enterprises are seeing guidance on compliance requirements change.
While financial requirements have been all the rage during a recession and time of struggling banks, there's so much more going on.
"In other industries -- for example, with consumer product companies -- the U.S. Consumer Product Safety Commission is not really changing requirements, but they are upping the ante as far as scrutiny," said Chris McClean, an analyst for Forrester Research. More resources for investigation are becoming available, and enterprises are facing larger fines and increased risks in getting called out for business practices that fall on the wrong side of regulatory -- or even public -- favor.
What started out as something that was thought to be fairly straightforward -- certification of financial results with
IT GRC covers things around segregation of duties, configuration auditing, security and identity access management, and secure event and identity monitoring, he said.
In turn, there is operations GRC, which tends to be aligned with revenue producing activities, transaction monitoring, quality management, and environmental health and safety regulations and requirements.
Understanding the three major types of GRC -- financial, IT and operational -- is critical to helping an organization start mapping out a revamped GRC strategy. While every organization is different, the major departments within an enterprise will have their own areas of compliance to address. For instance, a CFO may typically face SOX, Basel-II or OMB A-123, while the CIO may be concerned with HIPAA, ISO/IEC27001, AS8015-2005, GLBA and/or PCI DSS.
The vice president of HR may have to worry about FMLA or ERISA, while the vice president of procurement may need to straddle aspects of OSHA, REACH and Clean Air, the last two of which may also be shared with the vice president of an enterprise supply chain and/or COO. The vice president of manufacturing (and COO), may also need to worry about regulations with NERC, Clean Water, SARA and the FDA. A vice president of customer service or chief marketing officer may have to maintain a handle on a variety of privacy and anti-spam regulations.
Meanwhile, new business partner requirements are creating new areas of compliance, and while failure to comply may not lead to jail time for executives or painful fines, business partners have the power to choke off key revenue streams. Take, for example, the retail giant, Walmart. With $405 billion in sales earned across more than 8,400 retail outlets in 15 countries, the company is one of the most important partners for its 100,000 suppliers around the world.
Back in 2004, Walmart shook up its top suppliers with its RFID tagging and tracking mandate, and now the company is at it again with its new "green" initiative. First announced in July 2009, the effort started with Walmart asking its suppliers 15 questions about their companies' sustainability, including key areas such as greenhouse gas emissions, factory locations, water use, and solid waste produced. Next, the information (and more details) will generate a database of information on the lifecycle of each product, from raw materials to disposal, ultimately ending with a consumer product index rating that will help consumers choose more environmentally friendly and sustainable products.
Technology to the rescue
Because most organizations operate in a fragmented and siloed fashion, IT departments have often been tapped to help acquire and support an outright mess of different point -- and homegrown compliance -- solutions. Even so, many compliance requirements get pushed back to business or operational departments, where they are effectively lost to the organizational leaders as a whole. In this situation, a board of directors, for example, can't get a level of transparency necessary to assure compliance across an enterprise, much less have a real understanding of everyday and strategic risk.
"In the software market, products start out as point solutions, but over time they develop into platforms or suites, and that's what we're seeing now -- this marketplace is still best-of-breed in finance, operations and IT GRC, and at the same time we're seeing developments where the GRC vendors can specialize in two but not three of these areas," Eid said.
GRC companies like OpenPages, Paisley, BWise, Protiviti, Aline, Archer Technologies, and MetricStream -- most of these best-of-breed companies are either finance GRC vendors that are building out additional IT GRC capabilities or they are IT GRC providers now building out more financial GRC capabilities, he said.
Flexibility is key
While older regulations like SOX are understood and now have good guidance on how to implement controls, every company is still unique.
"Flexibility with GRC systems is routinely one of a customer's top one or two key points they are looking for," McClean said. "It needs to adjust to their workflow, their documentation, their organizational structure -- and that flexibility is absolutely essential."
That said, even without a GRC technology, companies have a fairly good handle on their business requirements most of the time, whether it's their business partner requirements, SOX, privacy legislation, or environmental health and safety, McClean added. The companies have had to deal with the requirements for a long time, and the controls are fairly well understood.
"It's being able to mold the GRC product around the business processes, the workflow and the organizational structure that really matters," he said.
For SAP, business processes represent the linkages across enterprise silos, and these basic processes can be adapted to meet a variety of compliance requirements.
"If everyone in an enterprise came to IT and said, 'Hey, I need a solution for this, for that,' it would be a nightmare because you would have more to buy than you would ever have budget for and more to implement than you would ever have time for," explained SAP's Dickhart. "What we try to do is provide one process, whether it's compliance to an external regulation or it's compliance to an internal policy, so that the same process can be used across all those entities -- and that's the basis for SAP's Process Control product."
It sounds so easy -- one process to rule them all. But there are more dimensions of the problem. Not only do these processes go horizontally across organizations, they need to be able to delve deeply into IT systems to make any sort of monitoring effective.
"SAP's GRC solution sits on the NetWeaver stack independently, then we provide agents that sit in the processes -- or other systems -- that enable us to monitor information or events that let us trigger exceptions against the rules that sit on our NetWeaver platform," Dickhart said.
"For example, in a heterogeneous environment, we have a customer who has Oracle, SAP and a legacy system, and we can gather information from all of those systems," he said. "But the rules -- from a business process or segregation of duties perspective -- can be normalized and stated in one way."
SAP's strategy is not to replace dozens of other GRC tools and solutions but to utilize what a customer has that's working already. For instance, SAP has partnered with Novell for down-in-the-trenches event monitoring and identity management that can, for example, actually give access control policies some teeth.
"We don't want to replace everything that the customer already has," Dickhart said. "What we're trying to do is find the spots in the business processes where we can supply the risk information to the risk owner or business person and let them take action at the same time, not as a process or report they have to review separately."
MTU Detroit Diesel manufactures heavy-duty diesel engines for off-road use, and the manufacturer is both an importer of mechanical parts and a global exporter of its products. The company used to rely on manual processes for complying with federal import and export regulations, requiring labor-intensive and time-consuming screening and licensing processes. By implementing the SAP BusinessObjects Global Trade Services application, however, MTU Detroit Diesel automated the processes, eliminated dependence on third parties for regulations adherence, enhanced visibility into its international transactions, benefited from improved compliance ratings, decreased the risk of noncompliance, and decreased its cost of conducting compliance-related processes.
"The SAP BusinessObjects Global Trade Services application equips us with the tools we need to maintain the level of compliance that U.S. Customs expects," said Adam Wood, director of logistics for MTU Detroit Diesel. "It puts us in the driver's seat on issues that could greatly affect our compliance. This is important to us because noncompliance can result in audits, fines and penalties."