GRC: the upside of risk
A common risk for many organizations is making incorrect payments to their suppliers. "Our integrated approach to GRC enables the organization to monitor compliance by determining whether there are indications of fraud, such as micro-payments," Sinha says. The same monitoring of payments allows the organization to also assess its practices from a business performance viewpoint. "The organization can find out whether it is making the most of the terms it has negotiated," he adds. "For example, are they paying too early, and therefore reducing cash flow?"
At the C-level, decisions need to be made about which activities to focus on during a given time period. "The day-by-day activities should be guided by the overview, yet compliance needs to be achieved at the granular level," Sinha explains. "This is not an easy problem to solve, but is a trend we are moving toward. Our goal is to provide advanced automation that will make a direct impact on the bottom line but linked to a strategic plan and drawing on an integrated store of information."
Measure and manage
What to measure depends on the organization's goals. "A company needs to do some things such as meet safety standards in order to conduct its business, regardless of whether there is a regulation," says Gartner's Caldwell. Beyond that, documenting compliance through a variety of measures, controls and reporting is driven by regulations or by partners. Finally, compliance may be tied to corporate strategy. "For example, a company might opt to comply with ISO 9000 because it helps to ensure introduction of quality products, which is important for the company's growth strategy," he says. Each type of compliance requires a multitude of measures and controls.
Organizations should systematically go through a logical sequence to identify what should be measured. What are the organization's objectives, and what are the underlying processes that support those objectives? What are the indicators of success? Finally, what are the risks and how can they be mitigated?
"A lot of data and reporting need to occur in order to show that companies are in compliance and managing risks. In addition, the strategic objectives must be linked to the risk and controls," says Caldwell. In today's regulatory and risk-aware environment, the outlook for GRC solutions seems positive.
Compliance and third-party risk
Over the past few years, new regulations have made organizations increasingly responsible for the behavior of third-party partners with whom they are associated. If an outsource partner pays a bribe, the primary contractor can be held responsible. Therefore, more attention is being paid to due diligence during on-boarding, and to monitoring third-party behavior on a regular basis. Certain countries, industries and types of transactions increase the risk of third-party infractions occurring.
Third-party risk management solutions organize information and provide the structure for tracking them. Compliance 360 Third Party Risk Management is one of the GRC products available from SAI Global focused on that issue. "Our solution organizes contracts associated with third parties," says Steve McGraw, president of GRC solutions at SAI Global, "and it provides alerts for contract compliance when deadlines come up." In addition, it automates the assessment process with surveys and questionnaires, and provides dashboards that report the status of risks, and alerts for risks that are outside of predefined thresholds, associated with partners.
"The ongoing monitoring process can be more of a challenge than the initial assessment," says McGraw. "During on-boarding, the legal department, procurement, the CFO and others are working collaboratively. After that, having a systematic way to track the partners is important because the risk profile of a business partner can change over time." Compliance 360 Third Party Risk Management provides visualization tools that highlight trends in vendor risk over time, and present a color-coded graphic breakdown for the level of risk for each factor.