The Governance, Risk & Compliance (GRC) space has generated worldwide interest after the enactment of specific corporate laws by the regulators. Many organisations focus mainly on the “C” part, through internal & external audits, to ensure that they comply with the laws & regulations of the land and policies & procedures. However, when laws specifically prescribe that a governance system must exist, risks identified and controls are tested for its effectiveness, the consequences can be far reaching.
Lo & behold!, SAP’s comprehensive GRC tool, (GRC 10) provides the functionalities to meet the requirements of these regulations and seamlessly integrates across modules. An enterprise GRC platform approach allows companies to manage all risks and controls from a single repository, which should give comfort to Directors, Auditors and other stakeholders.
In order to get the best out of GRC 10, it is important that consultants have a good understanding of:
- the integration between Process Control (PC), Risk Management (RM) and Access Control (AC)
- business processes, risks & controls
- frameworks on GRC & controls
- risk management standards
- the holistic view of GRC and the benefits an organization can derive
Most organizations start with AC and then move on to implement PC and RM, which is more like a “bottom up” approach. The reason for this is that reporting on SOD violations gained importance worldwide, with the enactment of the Sarbanes Oxley Act and other equivalent regulations. Most consultants in this space come from a technical background, whereas PC & RM requires very good domain knowledge. There is a need for PC & RM consultants to “cross-pollinate” with AC consultants and vice versa. I do appreciate the fact that these modules are vast and finding consultants having an understanding of PC, RM & AC is going to be difficult. However the reality is that this is required for a successful implementation of GRC 10 and for starters, I believe, consultants should at least understand the main integration points.
Continuous Control Monitoring is a very powerful functionality in GRC 10 and can immensely benefit organizations in establishing whether the controls are working effectively and efficiently. This can also help auditors pass an opinion on the effectiveness of controls. In today’s world, the words “control effectiveness” have become buzzwords in the vocabulary of regulators and have been included as responsibilities of Directors and Auditors. Testing of controls should not be done on an “as at” basis, rather it should be done “for the year”, which boils down to continuous monitoring. Organizations need automated tools like GRC 10 to meet these objectives. An effective GRC Consultant must have a “Board View” of governance, enterprise risks and controls and not be restricted to specific modules.