Governance, Risk and Compliance: We have an app for that.

Over the past few years, we’ve all been hearing a lot about “GRC”, or “Governance, Risk and Compliance”.  Products are marketed as GRC Solutions and organizations are advised to implement strong GRC programs.  GRC seems to be all the rage lately.  But what is GRC?

skylineWhat is GRC?

First let me state for the record that I do not consider myself an expert in anything.  I am not an industry analyst or a compliance consultant.  However, as a policyIQ Product Director what I AM is a person who has spent a large amount of time listening to clients talk about the challenges in their organizations.  I’ve helped countless organizations use technology (specifically policyIQ) to better manage their documentation – from policies and procedures to Sarbanes-Oxley compliance to account reconciliation tracking.

In my experience, it is all related to GRC.

What are the components of GRC?

Let’s talk for a moment about each of the components of GRC individually.

Governance is all about how your organization is driven to be an ethical and responsible company (or not) – established first and foremost by the “tone at the top”, and formally documented in your corporate policies and procedures.  Legal regulations certainly play a part in how the organization defines “ethical”, but every organization has its own culture, which can be partly defined by the policies put in place to govern it.

Risk Management is just that – identifying and managing the risks to the organization’s success.  Risk management isn’t just about defining the risks, though, but also determining the organizational appetite for risk.  Will we shy away from risky ventures or seek out high payoff / high risk opportunities?  Risk Management is about making good decisions based on the risk appetite of the corporation.

Compliance means making sure that at the end of the day, your employees are following the guidelines established.  This might mean regulatory or legal compliance – such as Sarbanes-Oxley or Payment Card Industry Data Security Standards (PCI DSS).  It also means compliance with those corporate policies – such as your internal Code of Conduct that dictates appropriate workplace behavior.

Does all of this sound familiar?  Of course.  Every organization is doing some degree of GRC management.  The question is – are you doing it well and efficiently?

So is policyIQ a GRC solution?

policyIQ is a solution for GRC – policyIQ is not a GRC-specific solution.  Clear as mud?   Here is another answer: most of our clients are using policyIQ to manage their Governance, Risk and Compliance initiatives, but policyIQ wasn’t designed any more as a solution for GRC than it was designed as a solution for SOX, or policies and procedures, or internal audit workpapers, or contract management, or any number of other uses for which our clients are successfully leveraging policyIQ.   In an industry analyst’s list of GRC vendors we might not be listed; that is their loss, considering the number of companies successfully using policyIQ for those needs.

Take advantage of ALL that policyIQ has to offer

Earlier I said that the question really is whether or not you are managing your GRC program well and efficiently.  Whether you are doing it well is a question for another time.  Whether you are doing it efficiently… well, that’s something that I might be able to help you with.

If you are already using policyIQ for some aspect of your GRC program, such as Corporate Policies or Sarbanes-Oxley compliance, why not expand your usage to encompass more?  For example:

    • Document regulations that apply to your organization and link those to the Policies that you have in place to meet those regulations. (Better yet, use Web Link objects where possible to link to the information on the regulatory website, so that the most current text is always accessible!) When updating a policy, you will be reminded to review the regulation to confirm that your changes are still in line with the regulation. Reporting on those linked relationships will highlight any regulations that might not have related policies documented.

 

    • Build out policyIQ to encompass more areas of compliance management. If you are a retail organization using policyIQ for SOX, have you considered adding PCI DSS compliance to the application? Some controls may overlap – and by documenting everything in one place, you can identify those overlaps and streamline your testing!

 

    • If you are using policyIQ to manage your policies, are you utilizing Forms to capture the annual sign-offs from employees confirming their ongoing compliance with those policies? If you aren’t yet managing your policies and procedures in policyIQ, consider the version control and compliance capabilities that the tool offers.

 

  • Implement policyIQ to track your ERM program. Last month we presented a live training session (now available as a recording) that outlined how policyIQ can be used not only to capture your Risks and Capabilities as an ERM documentation repository, but how you can create a fully interactive and sustainable assessment tool for both Risks and Capabilities by using policyIQ forms.

Want to talk more about how policyIQ can add efficiencies in your organization and pull together your Governance, Risk and Compliance initiatives?  Call your account manager or email our support team and we’d be happy to give you some ideas.

This entry was posted in Industry News, Solutions by Chris Burd. Bookmark the permalink.

About Chris Burd

Chris is the Managing Director of the policyIQ group at RGP. She gets geeky about compliance and technology, and gets to spend every day working at the crossroads of the two. With policyIQ since 2005, Chris has worked with hundreds of policyIQ clients to implement technology and enhance their internal compliance environment. In the past few years, she's focused on enhancing policyIQ's offering as a Conflict Minerals and Anti-Corruption tool. In past lives, Chris worked as a system implementation consultant, a e-commerce specialist, a customer service call center manager, and - for one short but memorable summer during high school - a machine operator on midnight shift in a plastics factory. In her free time, she spoils her nieces, volunteers at her local food bank, and spends more time than she should taking photos of her cats. She would like to be a rock star when she grows up.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s