Implementing Effective Technology for Governance, Risk & Compliance (GRC)

An urgent need for GRC technology often arises out of specific audit findings (see above) and the subsequent realization that the cost and timescales of manual approaches are untenable. There are many dimensions to the GRC landscape from executive dashboards, risk registers, controls documentation repositories, audit checklists, specific applications for standardized, repeatable processes such as financial closing or Health & Safety, through to the continuous monitoring of controls and risk indicators at the business application level and lower level IT infrastructure monitoring and intrusion prevention.

This is a broad spectrum, but one of the most common requirements is for application access controls (SoD et al) in major applications such as SAP, Oracle e-business suite and others. Each layer of the GRC landscape is a potential minefield depending on what the organisation is trying to achieve. (see our white paper ‘The GRC Landscape Explained’ in the Resources section of this website). There are many credible technologies in the marketplace, with many focused at the technical IT/ERP security specialist. However, the devil is in the detail of deployment and making them effective for business, internal controls, compliance and audit use. Internal controls and compliance are business issues and need to be supported in a way that all the key stakeholders can effectively participate, irrespective of their geographic location, operating unit, function or line of business. There are countless examples of expensive GRC technologies being purchased and a technical deployment initiated, with little to show for the effort after 12-18 months. Always, conduct a brief practical proof of concept with at least two vendors before finalizing a decision. Caveat Emptor!

<< Back

Consider Solutions