The value of GRC product integration
However you define GRC (see my other posts), everybody will agree that solutions for governance, risk management, and compliance (GRC) include a number of functionalities. For example, some focus on the risk management, compliance management, policy management, and audit management and refer to the combination as a GRC platform or similar.
There certainly is value – as a generality – in integrating applications. SAP achieved great success through its integration of applications for business processes into ERP and more recently into its Business Suite. Oracle has also integrated many of its applications into its ERP.
The question is whether integration of different GRC applications or functionalities has the same sort of value as integrating accounts payable and general ledger.
I would argue that there is clear value in integrating some of these applications. For example, when you integrate risk management and audit management, you enable the internal audit function to build a risk-based audit plan. Integrating compliance management and policy management allows you to link compliance requirements to related policies. Additional integration with risk management allows you to capture and report compliance-related risks together with other sources of risk, such as strategic and operational.
What many seem to overlook is the value of integrating these applications for GRC with the ERP itself. For example, integrating risk management with the financial, accounts payable, logistics, and other parts of the ERP will allow the building of automated, integrated, continuous risk monitoring. Running applications for transaction and master data monitoring (CM or CCM) or auditing (CA) is much more efficient when they are integrated with the ERP – where the data resides – than when you have to extract the data from the ERP so it can be tested.
Where is the integration most valuable for you? Is it in integrating the GRC solutions with each other, or with the ERP? Perhaps the answer is to be greedy and ask for both: integration between related solutions for GRC and integration of those same solutions with ERP.
What do you think?
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Norman,
Good Question, one of the questions that motivated me to start Reliant Solutions. When you holistically look at the enterprise, the board and executive management are chartered to manage an enterprise value, which is a dynamic asset and hence it needs a dynamic management systems to manage the asset class as custodians to shareholders value.
Having said that, the company board, C-Suite, line of business, external auditors, internal auditors and consultants (audit prep guys – by the way, most expensive part of this puzzle, studies have shown that) needs to be able to collaborate, have visibility and transparency … By integrating risk management for Compliance (SOX, Model Audit, etc …), Financial, Operational, Strategic (KPIs) and IT.
The stakeholders are finally having:
– Visibility of the risk they manage through out the quarter across all business units and geography
– Collaborate with their internal audit, Line of business customers and respective dependency.
– Reduce cost of risk and audit management due to integration
for further information you may want to invest 46 mins and watch a webinar we attempted to address these issues
http://p0.vresp.com/GtMuJ7
Facts are that this is new frontier – continuous integrated risk and audit management and adoption is taking place by what I call Maverick General auditors only … They get it and most important they know how to launch it within their organizations to be successful .. I have been blessed to work with few of these Mavericks … Rest of the audit community will adopt in few years.
Norman,
Another important issue for GRC integration is to ask who the stakeholders are? If it is C-Suite and operational team, then integrating GRC applications with ERP is fine. If the stakeholders include auditors, then due to their independence issue with the management teams, they need their own system to assess, management and monitor the risk … some within audit will say that they only monitor not manage, however I am seeing a nice evolution taking place where internal audit is getting involved in risk management issues as well.
Also, I have yet to meet a company that is strictly using one ERP system, hence GRC integration with ERP systems has its challenges of integration and acceptance by various stakeholders of GRC.
Dipak
Dipak, my background is running internal audit for many years, and auditors can certainly use enterprise software. The “independence” bug-a-boo is old school and discredited now.
I don’t disagree that there is value in a platform with integrated solutions for GRC. My point is that there may be equal or greater value in integrating with the enterprise application systems.
Norman,
I think the overall concept of ongoing monitoring/continuous auditing is a relevant concept for all sizes of companies (i.e. small and large cap), however the “how does it get done? or better yet “execution” is different company to company. Your question of: “What many seem to overlook is the value of integrating these applications for GRC with the ERP itself.” Is a good observation however remember IT budgets are slashed and putting more efforts on “monitoring” where their is little to prove for an internal audit department to show increased shareholder value is really hard. If I were to answer your second question of “Where is the integration most valuable for you? Is it in integrating the GRC solutions with each other, or with the ERP? Or both?”
I would say integration of the revenue cycle first but with what? Some companies are only using one or 2 apps therefore, integration usually is done already. The real issue is what “data analytics can be leveraged to increase both objectives of Auditing (internal or external) and operational benefits. My recent finds have found that “Bendford’s law applied correctly” adds one of the best values. The test can be done at a high-level (i.e. 1st and 2nd digit) but of course move to more detail when you analyze more digits. So maybe integration isn’t the real question but Data Analytics that tie to both Audit and Operational objectives.
I agree with Sonia. at the end of the day, it depends a lot on how the companies organizes and what data it captures. Also, audit failures don’t result from technology failures. It’s usually people failures. Sure, you can recover a few millions here and there if you do a procurement audit, but you can force th gov or the bankers to tell you where 850billion of the tarp money went.
the problem is people and please don’t (like the corp integrity guy) say having good policies and laws in place will address it.
Hi Norman,
Great thread discussion. Based on what I see in the field businesses are concerned with risk event prediction and avoidance. While it can be difficult to predict so-called “fat tail” (high impact, low probability risks) avoiding risk through a robust monitoring program is a reality. For example, one organization is leveraging their systems environment (SAP with additional applications in the design and data management spaces) to monitor various access to proprietary and protected information. If the systems are integrated based on role in the organization, rights to access certain information given role and location, and conventional access securities, risk events such as deliberate or unintended leakage of intellectual property or transfer of technology to embargoed nations may be avoided. Integrating the systems to provide the audit management and monitoring of the environment is a cost-effective option than to have auditors circle the globe to physically make audit spot checks of compliance processes.
Short answer: yes it is a very good thing.
Thanks again for the thread. Check out our blog on Enterprise Performance Management topics including strategy, risk, operations, and technology on WordPress at TheViewFromClevel.wordpress.com.