GRC tools: To integrate or not to integrate?
Many companies use multiple governance, risk and compliance – or GRC – tools to make sure they're meeting regulatory goals and objectives. Ideally, all the tools would integrate across a single enterprise platform, but that's typically the exception rather than the rule. A new white paper [.pdf] from risk consulting firm Protiviti outlined several reasons why it's a good idea to bring an assortment of compliance functions together under one umbrella instead of letting them languish across teams and work processes.
The paper identified several types of GRC solutions, each intended to track and produce different results. Enterprise risk management tools help companies assess, identify, avoid and mitigate risk, and compliance management processes keep companies functioning within the confines of the applicable rules and regulations.
Meanwhile, IT governance tools provide a "central repository" for managing an organization's IT allocation and resources. Throw in financial control and internal auditing platforms and you've got a batch of different solutions all using different roads to get to the same destination.
The authors noted that it makes good business sense to "bring these functions together, at least on an aggregated level, even if subsets of information are contained in other source systems: It will enable the three lines (operational/ business line managers, risk and compliance functions, and internal audit) to coordinate activities, map assurance functions and perform independent validation."
Of course, if it were that simple, then everyone would do it, right? The paper noted several potential barriers to full-on integration and they're the same things that typically snag other enterprise platform integration projects: Lack of collaboration among teams, overly-complex existing technology and the inability to determine the overall ROI for integration projects.
The paper is a bit dense, but it's worth a read for the insight it offers into why integrated GRS platforms are important and how they benefit organizations in the long run. It also included a detailed look at what core components GRS platforms should have and what underlying functionalities they should support.
Finally, the report suggested a vendor-neutral list of things to consider when evaluating software platforms and vendors. "One is the time frame and budget required to implement the system" said the authors. "Another is the configurability of the solution to the company's needs. Organizations should avoid platforms designed like 'black boxes,' with limited ability to configure controls or generate the reports needed."
- download the Protiviti white paper on GRC [.pdf]