Organizations today face unimaginable challenges as they do business in an increasingly complex global marketplace. They need to step back, get a good look at the challenges and develop an integrated approach to ensuring effective governance, managing risks, and optimizing performance while addressing compliance requirements throughout the enterprise. The result: what OCEG calls Principled Performance®.A number of key business processes help organizations achieve Principled Performance®, and those under the broad areas of governance, risk management, and compliance are particularly critical to this success. Because there is significant overlap not only between these areas but also in the underlying activities, addressing them in an integrated fashion allows a consistent view of information and efficient application of resources that greatly enhance the power each individual process brings to the organization. We call that integrated approach “GRC.” The simple step of adopting a consistent approach to setting operational goals and standards and making sure they’re met – by integrating activities that are siloed and often duplicative or contradictory – enhances the organization’s value by making its activities more agile, efficient, and effective.
Not too long ago, the use of technology to support GRC was an option, but no longer. Today, the thoughtful application of technology solutions is essential to a successful GRC strategy that enables the organization to achieve Principled Performance®. The quantity, quality and expansive locations of information throughout the entity mandate the use of an integrated and well-architected technology support structure that includes GRC.
In the absence of an integrated approach to information technology (IT), the organization runs a significant risk of failing to obtain, understand, and use effectively information about external and internal events; strategies, goals and objectives; requirements; performance; and conduct that enable effective governance, risk management, compliance and the operation of related controls. Senior executives and the board cannot demonstrate that they have taken the steps necessary to protect the organization, and optimize performance in support of its objectives. Audits and risk assessments are likely to be unreliable.
But how does management know what IT solutions to employ to optimize its GRC processes? How does the organization define its needs and ensure systems are employed that provide the clarity and transparency needed to govern and manage well? How do business and IT teams ensure that they can identify the right types of IT solutions for each business need?
To address this and assist organizations in answering these questions, OCEG originally developed the GRC Technology Blueprint and has now replaced it with this GRC Technology Guide™ (“the Guide”). The Guide supports the OCEG GRC Capability Model™, and sets out typical GRC technologies and systems across 33 technology categories.
The Guide is a model of typical areas where technology can be used to enhance and enable GRC processes across the enterprise. It is not intended to include every functionality and capability, but to help the IT and business users of the Guide understand at a high level the technology that is available, prioritize the needs of their organization, and start the technology selection process. That selection should always be within the context of the organization’s overall IT infrastructure strategy. OCEG will update the Guide on a periodic basis to reflect advances in technology and its use.
The Guide maps these Technology Categories:
- to enterprise visibility, processes/functions, roles; and,
- to relevant elements of the OCEG GRC Capability Model
With an understanding of these relationships, owners of GRC processes and Information Technology professionals can use the Guide to better understand and enable technology support for GRC processes.