GRC and Governance Platforms - Introduction
We have now been dealing with the topics of data analysis, audit, risk management, compliance and ICS (ICS Internal Controls) for over 15 years. Especially in the recent past of the last 1-2 years a lot has happened here.
New and better solutions for individual company areas have been created, but we have also seen a consolidation of isolated applications and integration into software platforms. For this reason, it makes sense for us to deal in a structured way with how a possible platform in the area of GRC or corporate governance could look like and where individual components could be integrated.
After an introduction to the topic at this point, the next articles in the series will focus on the following topic blocks, among others:
- Internal Controls Management
- Audit Management
- Data analysis and control automation
- Compliance Management
- Vendor Risk Management
All these can be parts of such a GRC platform. But before we go into these areas in detail, let's first take a look at some fundamental aspects. We distinguish between technical and functional requirements of a platform and possible contents that can be covered in an integrated way.
What can be understood by a GRC software platform?
The term "platform" is often used as an umbrella term for hardware or software platforms. The definitions found online are often rather technical with the terms "binary-based platform", "source code-based platform" or "runtime environment as platform".
Analogy ERP platform
In our context we understand the term more like it is described in this (german) article of Computerwoche about ERP platforms. It is interesting that the author takes up aspects that we later describe as the central advantage of the GRC platform we use as an example:
- the elimination of the customizing challenge
- the softening of the rigidity of a closed system
- the integration of different sub-areas (described in the Computerwoche article using the example of the value chain)
Furthermore, the development of the SAAS share of platform solutions as well as the importance of cloud technology is shown using the example of ERP platforms.
Which components can be part of a GRC platform?
When describing what is meant by a GRC platform, the modular concept (or sub-areas or components) plays an important role. When talking about GRC or corporate governance, there are various sub-areas that come up again and again in this context. Without any claim to completeness, these are, for example, the following topics (here in alphabetical order, since the meaning varies depending on the point of view):
- Business Performance Management / Enterprise Performance Management: The view of the company as a whole is becoming increasingly important. A meaningfulness can hardly be achieved with isolated applications in some areas; a company-wide, data-supported platform is a prerequisite for this.
- Compliance Management: What rules are there, how are they defined, what is the commitment to compliance in the various corporate divisions, and how can compliance be monitored and the degree of compliance or coverage measured?
- Data analyses & transaction-based reporting: In this context, the focus is more on descriptive analyses that provide key business figures (classic KPIs), or in the case of a risk-oriented view, KRIs (Key Risk Indicators). However, we also assign this topic in the course of checking the effectiveness of controls (ICS: Controls operating effectively) including drill-down to individual transactions that are tracked.
- ERM Enterprise Risk Management: What risks exist at an aggregated company level, what is the probability of occurrence and potential impact? What measures can be taken to reduce or avoid the risks and how can the whole thing be presented in reports?
- Fraud prevention and detection: How can fraudulent acts be prevented at best or avoided at second best? This often has a close connection to data analysis (classical) or predictive analytics.
- GDPR / DSGVO: With regard to the Basic Data Protection Regulation or General Data Protection Regulation there are numerous requirements for "GDPR Compliance". Due to the current great importance of the topic, it is listed separately here; strictly speaking, it could also only be seen as an expression of the content of the point "Compliance".
- Incident Management: If security-relevant interruptions or (possibly also quality-reducing) malfunctions occur in the operating process that require a controlled reaction (process) to remedy them, one can speak of IT incident management. This can also be part of such a platform.
- Internal control system: A functioning ICS is of central importance for companies, as it helps to ward off damage and to comply with internal and external rules. It is often a challenge to create the required transparency of the control objectives to be achieved in conjunction with the set of controls, as the set of objectives often involves a considerable volume of data. The mix of manual and automated controls, different control cycles (daily, weekly, monthly, etc.) requires systems that help to operate and manage the ICS.
- Internal audit: It makes statements about the effectiveness of internal controls and risk management, for example in the form of operational audits, compliance audits, financial audits or management audits, and is also often referred to as the third line of defense. It requires support in the areas of audit planning, audit execution (fieldwork), documentation of results, reporting and follow-up / action tracking. In order to judge the effectiveness of internal controls, results from data analysis are often included, but risk-based audit planning can also be another aspect.
- IT Security Management: This deals with procedures and rules around information security. In this context, the ISO 27001 certification based on IT basic protection should also be mentioned.
- Process Analysis / Process Mining: Another current topic, which includes drawing the actual state from a process perspective based on the merged transaction data of the company. The aim is to recognize process flows and to identify and improve weak points. Improvements can be achieved, for example, by changing operational processes, by better support of individual sub-processes or on the IT side by automation in the sense of RPA Robotic Process Automation.
- Reporting: Actually, reporting is not a separate module, but can be used across all the components mentioned here to achieve transparency in the various subject areas. Ideally, it supports operative reports in detail as well as strategic reports for management. It should be flexible enough to allow facts and figures to be easily grouped according to specific objects; from an ICS perspective, for example, the controls per organizational unit, or from an internal audit perspective the status of action tracking per audited unit, or reports from financial accounting or in the context of business performance management.
- SOX Testing (whom it may concern ;-) The Sarbanes-Oxley Act will soon celebrate its 20th birthday. Introduced to give investors more security again after various scandals regarding the financial reports of companies, an essential point is to test and confirm the effectiveness of the internal control system. This requires support in the form of testing, but also documentation of the results.
- Vendor risk management / Third party risk management: This refers to potentially serious indirect risks arising from the cooperation with business partners such as suppliers; or the avoidance/reduction of such risks by evaluating the business partners with regard to a catalogue of minimum requirements. Third party risk management is similar, but in some places the two topics can be differentiated in terms of content; for example, you can find a corresponding differentiation here: https://de.wegalvanize.com/vendor-risk/the-difference-between-vrm-tprm/
- Audit (as an audit of financial reporting) or annual audit as a subset thereof: For capital companies of a certain size, it is mandatory to undergo an annual audit. Here, too, the correctness of the annual financial statements or the situation of the company described in the annual financial statements should be confirmed in order to create certainty in this respect for third parties.
Ideally, a GRC or Governance Platform comprises solutions for the above mentioned subareas and integrates them into a holistic GRC Platform. Whereby there are also grey areas and overlaps in the above list: For example, SOX Testing could be seen as a special case of the ICS area; while GDPR and ISO27001 are standards and sets of rules and regulations which, as briefly touched on above, are located as content in the Compliance Management area.
We have now described the idea of a "GRC platform"; first in technical-functional terms, following the characteristics of established ERP platforms, then in terms of content by listing possible components and modules that such a platform could contain or integrate.
In the next blog posts in this series we will pick out individual sub-areas and examine them in more detail. In the next article we will deal with the possibilities that a GRC platform offers in the area of ICS. We will deal with topics such as risk-oriented control design, show examples of risks, and outline possibilities for evaluating risks and controls, as well as automating controls through data analysis. In preparation for this, you will find an ebook, which lays some foundations in ICS matters, and a blog post about Internal Control Design of the software manufacturer Galvanize, whose GRC platform Highbond we will use for our examples.
We hope to have given you a helpful overview and introduction to the topic. If you have any questions or comments, please feel free to contact us at any time!