Governance Risk & Compliance
Governance, Risk and Compliance or GRC is the umbrella term covering an organisation’s approach across these three areas. Being closely related concerns, governance, risk and compliance activities are increasingly being integrated and aligned to some extent in order to avoid conflicts, wasteful overlaps and gaps. While interpreted differently in various organizations, GRC typically encompasses activities such as corporate governance, enterprise risk management (ERM) and corporate compliance with applicable laws and regulations.
Information Management GRC
Information Management (IM) Governance Risk and Compliance (GRC) is the ability to direct, measure and evaluate the use of an enterprise's IM resources in support of the achievement of the organisation's strategic goals. Leadership, organisational structure and processes are used to leverage IM resources to produce the information required and drive the alignment, delivery of value, management of risk, optimised use of resources, sustainability and the management of performance.
For IM to be successful in delivering against business requirements, management should put an internal control system or framework in place that contributes to these needs by:
- Making a link to the business requirements
- Organising IM activities into a generally accepted process model
- Identifying the major IM resources to be leveraged
- Defining the management control objectives to be considered
IM Governance Focus Areas:
- Strategic alignment focuses on ensuring the linkage of business and IM plans; defining, maintaining and validating the IM value proposition; and aligning IM operations with enterprise operations.
- Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IM delivers the promised benefits against the strategy, concentrating on optimising costs and proving the intrinsic value of IM.
- Resource management is about the optimal investment in, and the proper management of, critical IM resources: applications, information, infrastructure and people. Key issues relate to the optimisation of knowledge and infrastructure.
- Risk management requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organisation.
- Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting.
- Efficiency concerns the provision of information through the optimal (most productive and economical) use of resources.
- Confidentiality concerns the protection of sensitive information from unauthorised disclosure.
- Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations.
- Availability relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.
- Compliance deals with complying with the laws, regulations and contractual arrangements to which the business process is subject, i.e., externally imposed business criteria as well as internal policies.
- Reliability relates to the provision of appropriate information for management to operate the entity and exercise its fiduciary and governance responsibilities.
- Applications are the automated user systems and manual procedures that process the information.
- Information is the data, in all their forms, input, processed and output by the information systems in whatever form is used by the business.
- Infrastructure is the technology and facilities (i.e., hardware, operating systems, database management systems, networking, multimedia, and the environment that houses and supports them) that enable the processing of the applications.
- People are the personnel required to plan, organise, acquire, implement, deliver, support, monitor and evaluate the information systems and services. They may be internal, outsourced or contracted as required.
- Plan and Organise (PO) - Provides direction to solution delivery (AI) and service delivery (DS). This domain covers strategy and tactics, and concerns the identification of the way IM can best contribute to the achievement of the business objectives.
- Acquire and Implement (AI) - Provides the solutions and passes them to be turned into services. To realise the IM strategy, IM solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered by this domain to make sure the solutions continue to meet business objectives.
- Deliver and Support (DS) - Receives the solutions and makes them usable for end users. This domain is concerned with the actual delivery of required services, which includes service delivery, management of security and continuity, service support for users, and management of data and operational facilities.
- Monitor and Evaluate (ME) - Monitors all processes to ensure that the direction provided is followed. This domain addresses performance management, monitoring of internal control, regulatory compliance and governance.
- Process Goals and Objectives. Define and communicate specific, measurable, actionable, realistic, results-oriented and timely (SMARRT) process goals and objectives for the effective execution of each IM process. Ensure that they are linked to the business goals and supported by suitable metrics.
- Process Ownership. Assign an owner for each IM process, and clearly define the roles and responsibilities of the process owner. Include, for example, responsibility for process design, interaction with other processes, accountability for the end results, measurement of process performance and the identification of improvement opportunities.
- Process Repeatability. Design and establish each key IM process such that it is repeatable and consistently produces the expected results. Provide for a logical but flexible and scalable sequence of activities that will lead to the desired results and is agile enough to deal with exceptions and emergencies. Use consistent processes, where possible, and tailor only when unavoidable.
- Roles and Responsibilities. Define the key activities and end deliverables of the process. Assign and communicate unambiguous roles and responsibilities for effective and efficient execution of the key activities and their documentation as well as accountability for the process end deliverables.
- Policy, Plans and Procedures. Define and communicate how all policies, plans and procedures that drive an IM process are documented, reviewed, maintained, approved, stored, communicated and used for training. Assign responsibilities for each of these activities and, at appropriate times, review whether they are executed correctly. Ensure that the policies, plans and procedures are accessible, correct, understood and up to date.
- Process Performance Improvement. Identify a set of metrics that provides insight into the outcomes and performance of the process. Establish targets that reflect on the process goals and performance indicators that enable the achievement of process goals. Define how the data are to be obtained. Compare actual measurements to targets and take action upon deviations, where necessary. Align metrics, targets and methods with IM’s overall performance monitoring approach.
The GRC Application
The GRC application addresses the above needs through the use of a user interface based on the Devolution development platform coupled with interactive dynamic reporting powered by the LogiXML BI reporting platform.
Together these technologies bring functional and graphical views and management of the GRC arena and its associated tasks / tests etc.
Within the application the following hierarchy exists around the actual GRC operations. On the top level we have Combined Control Objectives (CCO). On the next level is where all the Control Activities linked to the abovementioned CCOs exist. The third level is home to all the relevant Control Tests linked to the respective control Activities. Currently the Control Test Artifacts exist on the lowest level.
Combined Control Objective.
CCOs are a group of control objectives albeit from the same or different sources which, when complied to assures compliance to all the Control Objectives it relates to.
Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entity’s objectives
Control tests are the physical tests/actions that have to be carried out to be able to comply with a certain Control Activity and therefore also CCO.
Users are linked to different Roles which have specific tests linked to them relating to the responsibility of that specific user.
These tests are also linked to frequency of test period and therefore as soon as a test result is captured the system will automatically schedule the next test to be completed based on the frequency period as set.
Unsuccessful completion of a test will result in the test being marked as failed and will either have to be re-tested or if there is a remediation task linked to the failure of said test the user responsible will have to complete this remediation task.
Control Test Artifact/s.
Artefacts are the documents that support the successful completion of a control test or tests. Every Control Test can have several artefacts required to be successful.
Capture Test Screen Results
Within this screen the relevant test description will be displayed together with a list of all the required Artefacts that needs to be provided for successful completion of the relevant test. This can either be an attachment or the provision of a link to where the document is hosted i.e. Sharepoint, Livelink etc.