In the last blog, we were discussing ways to copy with today's new business and regulatory challenges. Again, you might want to consider adopting a "holistic" GRC approach that can help you develop multi-purpose, reusable GRC solutions.
For example, under such a holistic approach, a company could (a) identify the most important legal and policy mandates applicable to it, (b) identify GRC issues that are common to the various mandates (e.g., privacy, security, audit, record-keeping) and (c) seek to develop multi-purpose, reusable policies and IT solutions to the most important GRC issues. As part of this methodology, the company could use Excel spreadsheets to create Mandate Grids and GRC Issue Grids so as to better understand the company’s regulatory mandate landscape on an issue by issue basis. It then could identify the company resources in terms of policies, software and personnel being devoted to GRC issues with each mandate. Based on rankings of the resources in terms of comprehensiveness, scalability, ease of use and capacity to be used for multiple mandates, it then could identify the best resources that the company could standardize against, with the weaker resources being phased out over time. Finally, a GRC Training Handbook and Summary GRC Report could be created as part of the “holistic” approach. This would enable company personnel to be fully trained in the methodology, so as to be able to more easily describe to the board of directors, regulators, and other critical third parties - such as juries in the event of litigation - the corporation’s GRC approach. The GRC Training Handbook and Summary GRC report also could help establish a due diligence defense for the company in the event of a GRC failure by mapping the company’s approach against applicable best practices.
In order to facilitate the implementation of the above methodology, the company could use Microsoft Office SharePoint Server 2007 (MOSS) as a communication and collaboration platform to enable staffers to collect and assemble the needed GRC data. Office InfoPath 2007 could be used to create XML-enabled forms to help collect information through questionnaires. Once the GRC information had been collected and stored in SQL Server, the staffers could use the built-in reporting capabilities of SharePoint Server to produce the necessary reports for C-level officers, the board of directors and/or for outside parties, such as regulatory agencies. Additional functionality can be added through the use of Excel Services and other Microsoft tools, including Microsoft partner offerings.
We now have come full circle to the questions posed above and the answers to the questions appear clear. The Mandate Grids and GRC Issue Grids would identify the top 30 mandates applicable to the company. They would identify the various mandates that require the company to deal with specific security issues, maintain records for audit purposes and the like. If a GRC breach were to occur, the company would simply produce its Summary GRC Report which maps the company’s GRC program against best practices. If the company’s approach matches best practices or has been accredited by third parties, it is hard for a third party to claim that the company was guilty of gross negligence. Also, if you only had one hour to explain the company’s approach to GRC issues to your board, you would produce the GRC Handbook and Summary GRC Report, explain the methodology in a short slide deck and make the various Mandate Grids and GRC Issue Grids available for review. Similarly, rather than having to explain the company’s GRC approach on a witness stand from scratch, you simply would refer to the Summary GRC Report and explain the methodology. Finally, by moving away from one-off solutions and moving towards multipurpose, reusable GRC solutions, you should be able to reduce the total cost of ownership for your GRC solutions because you would be reducing staffing and training. Since staffing and training represents approximately 67% of the total cost of any compliance project, this would represent a significant reduction in cost.
As always, your comments are welcome. For any reader interested in learning more about this holistic approach to GRC issues, Jeff will be happy to respond to your questions.
Jeff Jinnett is Governance, Risk Management & Compliance Industry Market Development Manager, US Financial Services Group., for the Microsoft Corporation. Mr. Jinnett is a former partner of the international law firm of LeBoeuf, Lamb, Greene & MacRae, LLP (now Dewey & LeBoeuf) and has experience in advising Fortune 500 companies in the financial services industry on the use of technology to support corporate governance, risk management and compliance programs. Mr. Jinnett has testified as an expert before committees of the US Senate on issues relating to the intersection of law and technology. He is a member of ARMA (a records and information management professional association) and the Society of Corporate Compliance & Ethics (SSCE).