As I talk to various people I meet at conferences, trade shows, or even in sales situations, I hear a comment occasionally that deserves some discussion. The general tone of the comment is "hey"¦I think an ERM solution would meet all my needs" (or, it might be expressed as "I already have ERM"¦.why do I need GRC?"). So, let's take a quick look at these two areas and see if we can identify some clear and compelling differences.
Briefly, Enterprise Risk Management is the "˜R' in GRC. A true GRC Management solution not only provides comprehensive risk management capabilities, but it also gives you broad compliance capabilities, and links these activities and information into a unified approach to GRC. This is how we've approached our CA GRC Manager solution.
In comparison to a stand-alone risk management solution, GRC management provides:
>> A unified and centralized approach to all risk and compliance information, eliminating redundant and often conflicting information maintained in organizational silos. Also, the effects of changes on one area (e.g., compliance with a given requirement) to other areas (e.g., overall risk) are easily determined, thereby improving the timeliness and accuracy of your risk-related decision-making. This is significant for ERM because you can only determine the effectiveness of the controls you have put in place to manage risk by testing those controls. Since controls are often used for both compliance and risk management purposes, the best way to increase the value of this controls testing information -- without negatively impacting operations -- is to use every interaction with that control to validate its effectiveness. So, controls testing for one purpose (risk management) can leverage testing done for other purposes (compliance). This is one of the many advantages of the unified approach to risk and compliance "" the full scope of GRC.
>> A comprehensive repository of control objectives (at least in the case of our solution, CA GRC Manager) for all major IT-related standards, regulations, and best practices, enabling you to much more easily create rationalized controls across a range of regulations and additionally to associate those control activities with enterprise risk. This also allows you to simplify and reduce the number of controls, makes compliance with future regulations much easier, and reduces your total compliance costs.
>> Policy management capabilities that support creation, revision, and approval of corporate policies, including automated workflow for policy approval and self-attestation. Policy is the output of governance activities, and should include risk management efforts and be linked into that full lifecycle of governance. Policies exist to educate employees and hold them accountable for acting in the manner that the organization desires "" including the way in which they manage the risks associated with business operations.
>> And, in the case of CA GRC Manager, comprehensive program and project management capabilities that improve execution, increase efficient utilization of IT resources (including personnel), and provide complete cost tracking across all risk or compliance programs and controls remediation projects. Risk evaluation and assessment activities are projects that involve a number of people and a set of discrete tasks that must be accomplished within a given timeframe if an organization wishes to first understand, and then manage risk.
In summary, a true GRC solution should provide the core capabilities for risk management, allowing you to:
- Define the organizational goals and characteristics (organizational structure, etc.)
- Conduct Risk Assessments and evaluations using those risk-enabled contexts and the included Risk Library
- Define or associate relevant controls that mitigate risk
- Monitor Key Risk Indicators, and drive awareness or action on a change in status
- Manage the risk program, assessments projects, tasks, etc.
- Track and monitor total costs.
- Rinse and repeat "" the risk management lifecycle: plan, assess, respond, monitor. Schedule it and automate it.
But, more importantly, GRC not only provides these core risk capabilities, but extends them and unifies them with compliance, policy, controls, and remediation management -- capabilities that an ERM solution wouldn't begin to provide.
Your thoughts?