GRC Configuration Management; What the Heck is it?

GRC Pillar #4 is the mission-critical work discipline known as GRC Configuration Management. This post gives you a quick overview and foundation for learning more in our courses focused on this topic.

Most of our GRC Sphere Members are not familiar with the company name, Unified Compliance (or Network Frontiers). Many are also not familiar with the marketing branding phrase, "Unified Compliance Framework". Even fewer are familiar with the practice disciplines of GRC Configuration Management which span these lower-level practice areas of GRC knowlege and expertise:

  • Legal Configuration Management
  • Technical Configuration Management
  • Internal Controls Mapping
  • GRC Requirements Management
  • GRC Controls Change Management
  • GRC Controls Traceability (also known as Internal Controls requirements and Impact Assessment.)

So, this BLOG is dedicated to our key strategic partner, Unified Compliance, who has, literally, changed the course of the GRC industry as we know it. Here's the details...

Unified Compliance is based in Lafayette, CA ( They are not a well-known entity because the majority of their go-to-market IP (intellectual property) is embedded within the top enterprise-class GRC application software solutions. "Embedded" means that the Unified Compliance's application solutions are often not identified to end-users. Plus, their solutions are not accessible to those individuals who are not able to pay for access to any of the major, enterprise-class, GRC applications. Until now!

GRC Sphere Members can now get access the the most powerful and mission-critical GRC configuration management application in existence and at major discounts, too! We can offer an unprecedented level of access at the industry's lowest level of cost. Why is this possible? The reason is because we are a Members-based Industry Benchmarking Consortium which provides significant, value-add, to all Members who participate. We are interested in making the areas of GRC configuration management highly accessible while publishing benchmarking data which helps every user to determine their own performance versus "peer average" and "best-in-class" performance measures.

What is especially important is that Unified Compliance has created the above set of core GRC process practice disciplines and complimentary technology in the form of advanced application software products. Our belief is that these solutions are often taken for granted. So, we must first recognize the displine area of GRC configuration management. Then, we need to understand that it spans both legal and technical areas. Our target is to educate Members on the question of "why this is a mission-critical GRC foundation", but also with the question of "why this practice discipline is needed early in the GRC program planning process?".

The bottom line is that we believe that "GRC Configuration Management" is a core foundation for any GRC program!

Here's our formal definition:

GRC Configuration Management is the end-to-end process of managing a company's internal controls infrastructure which consists of the sub-processes of 1.) GRC requirements identification, 2.) internal controls rationalization, 3.) defining requirements and internal controls traceability, 4.) managing the controls infrastructure, 5.) preparing for internal audits of the infrastructure, 6.) managing remediation requests to the infrastructure, 7.) performing traceability and impact assessments, 8.) assessing industry benchmarking performance, 9.) assessing process performance and 10.) managing on-going reporting.

Our mission is to help educate our Members on the practice, and then... to provide training on the individual techniques, methods, and applications. We also need to develop analytical tools which can help our Members, and Member firms, to establish and rate themselves against industry-accepted measurement scales. One way to accomplish this objective is through the availability of Control Self-Assessments or, CSA's

Unified Compliance's, "Unified Approach", is a structured process which is inferred by their market brand, "Unified Compliance Framework" (UCF). UCF offers significant opportunities for any company, small or large, to save significant time and money for addressing the over-arching umbrella of legal and technical configuration management and the sub-processes of GRC requirements management, GRC internal controls mapping and management, GRC controls remediation (change management) and GRC requirements traceability / impact assessment. We will define the actual strategic value target opportunites in a follow-on BLOG.

We think that their area of expertise, i.e. Unified Compliance, needs to be well understood as a core foundation for any GRC program no matter what legal jurisdiction the organization is working within. Thus, if your company is operating in Germany, Tunesia, Chile, Singapore or Australia... you would want to employ the core GRC practice discipline referred to as "legal and technical configuration management" just as you would if your company were operating in any other country around the globe. So what, actually, is the "unified approach" that we are talking about? Here's another descriptive definition:

The 'unified approach' which is inferred within Unified Compliance's market brand, 'Unified Compliance Framework' is the structured process and sub-processes of legal and technical configuration management of a company's internal controls (along with the metadata that is related to the internal controls). The process starts with GRC requirements definition that form the over-arching business rules that a company needs to comply with, or conform to. That's the formal process where a company defines the specific legal mandates (often referred to as finding the 'authority documents'). The legal mandates and authority documents contain the actual business rules. Using the parlance of those technical professionals who follow the Business Rule Approach to Regulatory Compliance methodology... these business rule forces are collectively called 'external motivation' (as defined within the Business Rules Motivation Model - BRMM). External Motivation-related rules come in several forms (referred to as rule abstractions). They may take the form of an industry regulation, a statute, or a law. They may also be defined as 'industry standards' which is a type of "guideline" rule.

In addition, there is also another set of business rules that are collectively called 'internal motivation'. These rule abstractions are policies, internal company guidelines and Standard Operating Procedures, or SOP's. These abstractions are also business rules, requirements and / or guidelines that a company creates to address work quality, work deliverable consistency, and many other countless needs. Lastly, there are other legal rules and technical rules contained within legal agreements (i.e. contracts), technical reuirements and even software code.

Many GRC pro's refer to the GRC configuration management process as 'internal controls mapping', because in the past the standard approach which was used to manage the legal and technical configurations was the lowly spreadsheet. As auditors we know that we all need to mitigate the risks associated with spreadsheets by migrating to more effective (and safe) means to manage our legal and technical configurations, so spreadsheets are not the answer for helping us to manage GRC configuations, nor GRC program data.

In the next BLOG we will cover the actual products that our Members can use as core GRC Sphere services to help them in their legal and technical configuration management work. These are as follows:

  • The Common Controls Hub (CCH)
  • The Compliance Dictionary
  • CCH Applications Programming Interface (API)


Post new comment

The content of this field is kept private and will not be shown publicly.