T U E S D AY, D E C E M B E R 1 , 2 0 0 9

GRC Reference Architecture: Role/Process Specific Applications

Over the past few weeks we have looked at both theinformation model and the
enterprise application core of Corporate Integrity’s GRC Reference Architecture.
The GRC Reference Architecture provides the framework to approach technology,
classify software offerings, and is part of my broader GRC EcoSystem (which
includes over 1300 technology, professional service, and information providers).
The GRC Reference Architecture represents the core to the revisions to the OCEG
GRC IT Blueprint to be released by the end of this year. Your feedback is
appreciated.

We now turn to the next component of the GRC Reference Architecture – the
business role/function specific applications. These are the applications that are
predominantly focused to meet the needs of a specific business function, process,
or role in the enterprise. Applications in this area may very well have significant
risk and compliance relevance as well as impact on the enterprise – but they are
80% or more used to a specific subset of GRC user roles. The enterprise application
core that we previously discussed represents applications that span GRC business
users/roles across the business.

The various business roles and functions that have specific uses of GRC
technologies and applications are scattered across the enterprise. In one sense,
every part of the business touches on GRC as it relates to different aspects of
performance, risk, compliance, values, and control.

The primary, but not all inclusive, business function/role application categories
include:

Audit. While audit is a broader part of the enterprise application core of GRC,
audit also maintains its own category of role specific applications dealing
with assurance, audit management (e.g., calendaring, resource scheduling,
work paper management), as well as audit analytics and automation.
Brand & Reputation Management. This category offers targeted solutions for
management the corporation’s brand and reputation – in both the physical
world as well as online. This includes brand surveillance management.
Business Continuity. From disaster recovery, business continuity, as well as crisis
management – all are very relevant to GRC and are solutions that
enterprises need to manage and maintain continuity of operations across
the business.
Business Operations (line of business). The line of business is the front line of
GRC. From management of global trade compliance, procurement
management, to customer relationship management . . . many aspects of
business transactions, interactions, and relationships have relevance to
GRC.
Corporate Compliance & Ethics. Within corporate compliance and ethics there
are solutions aimed at communicating code of conduct, delivering
compliance training, as well as whistleblower reporting through
hotline/helpline systems.
Corporate Secretary. Board and entity management software is the primary
vehicle for the corporate secretary role to carry out the function of
managing board papers, communications, calendars, and corporate
reporting.
Corporate Social Responsibility/Sustainability. CSR is a burgeoning and growing
field becoming increasingly relevant to organizations around the world.
Solutions in this category aim to help monitor emissions and carbon
tracking, as well as offering broader GRI (Global Reporting Index) reporting.
Environmental, Health, & Safety. EH&S software helps the organization manage
and maintain environmental controls as well as the health and safety of
individual employees, partners, and clients. Solutions in this space have
many offerings from areas like environmental monitoring and reporting to
MSDS management.
Finance & Accounting. The finance and accounting function focuses on using
software to manage risk and compliance within business financial
transactions, validates that the organization is managing finance and
budgets within boundaries, and monitors finance and treasury risk
management. This entire area is often referred to as Finance-GRC.
Fraud. The area of fraud management utilizes software for fraud investigations,
fraud prevention/management, as well as specific areas such as anti-money
laundering.
Human Resources. HR issues from hiring practices, discrimination, harassment,
wage & hour, compensation, employee privacy, and other areas often carry
some of the most significant risk and compliance risks the organization
face. While broad HRMS systems have much relevance to GRC, there are
specific areas of software that HR leverages to help communicate and
prevent issues of risk and compliance such as employee evaluations and
surveys, as well as learning/training management solutions.
Information Security, Risk, & Compliance. What is often referred to as IT-GRC
 represents the most expansive domain of software solutions aimed at
managing technology and information risk and compliance. This includes
areas of threat and vulnerability management, configuration management,
identity and access management, encryption, and many other components.
Insurance. The role focused on managing insurance and claims management has
software specifically aimed to support its function in GRC.
Investigations. Part of the broader enterprise GRC application core as well,
investigations management software enables the organization to
consistently and efficiently intake issues, manage investigations, and record
and manage loss across the organization.
Legal. The legal department has a variety of technology solutions aimed at
supporting the legal role in areas such as matter management, contract
management, discovery management, and the management and protection
of intellectual property. The terms Legal-GRC and legal process
management are starting to be used to identify solutions that bring these
components together.
Physical Security. Physical security is dependant on many areas of technology
for surveillance and physical access systems to protect the organization,
and in some areas to comply with laws and regulations.
Privacy. A variety of solutions have come to the market specifically aimed at
managing privacy programs. These include software focused on information
protection, privacy policy communication and training, to incident response
and managing disclosure requirements.
Quality Management. Quality management systems provide a backbone of
managing quality within the line of business – while monitoring and
resolving quality and control issues.
Risk Management. Risk is a fundamental core to GRC but also has a variety of
business roles across the organization. From enterprise risk management
software, down into the bowels of many components of operational, geo-
political, and financial and treasury risk management software – there are
solutions aimed at meeting a variety of specific risk needs.
Third-Party/Supply-Chain Management. Risk and compliance issues do not start
at the traditional corporate boundaries but carry on to a complex web of
business partner and supply chain relationships. Solutions in 3rd party
management aim to communicate code of conduct and policies while
managing and monitoring risks, compliance, and controls across extended
business relationships.
These roles represent a significant but not exhaustive look at the categories of risk
and compliance software solutions targeted at specific areas of the business. These
applications need to be able to report and feed information into broader GRC
reporting systems and dashboards to maintain a 360 degree view of GRC throughout
the business. All are very relevant and part of a broad GRC strategy.

Further, the discussion and breadth of GRC business/function roles and supporting
technologies underline the fact that GRC is a federated effort. There is not one
group of the organization that does GRC. While there may be a role leading the
collaboration, it really extends throughout the business.

Over the next few weeks we will wrap up the initial discussions on the GRC
Reference Architecture. The next posting will provide commentary on the
geographic and industry specific views of GRC technology, and the final one will
look at the technology components/capabilities that GRC solutions are comprised
of.

Detailed training on the GRC Reference Architecture can be found in Corporate

Integrity & OCEG's GRC Strategy & Technology Bootcamps.!