The Strategic Value of GRC Configuration Management

In the last BLOG post we introduced the topic of GRC Configuration Management and we listed the sub-processes which, collectively, make up this best practice work discipline. Here's the formal definition that we've put forward:

GRC Configuration Management is the end-to-end process of managing a company's internal controls infrastructure which consists of the sub-processes of 1.) GRC requirements identification, 2.) internal controls rationalization, 3.) defining requirements and internal controls traceability, 4.) managing the controls infrastructure, 5.) preparing for internal audits of the infrastructure, 6.) managing remediation requests to the infrastructure, 7.) performing traceability and impact assessments, 8.) assessing industry benchmarking performance, 9.) assessing process performance and 10.) managing on-going reporting.

In this BLOG we will nail down the strategic value proposition associated with the GRC configuration management processes so that you can understand, and appreciate, why these processes form such a major core infrastructure component of any company's GRC program.

The first point is that by leveraging GRC configuration management your company can save a lot of time and money, but you can also reduce the risk of falling out of compliance which, quite frankly, is a lot easier to do than it is to achieve, in the first place. So, by using Network Frontier's Unified Compliance Framework your firm will be able to follow proven "Unified Approach" processes for nailing down your GRC internal control requirements, managing the internal controls rationalization process (i.e. the reduction of controls to only those that must be sustained and managed), managing remediation requirements (i.e. change requests to the internal controls configuration), conducting impact assessments and other traceability requirements, and lastly, handling your on-going reporting needs.

The internal controls rationalization process jumps out at us when we realize that by using Network Frontier's Common Controls Hub (CCH) and Compliance Dictionary, even a small company can reduce the number of discrete internal controls by over, an astounding, 60%. That's huge! We can prove it, too. One of our case studies points to the fact that a small company was able to reduce their internal controls from 2050 to 850.

Let's now turn to the dollar savings which are associated with such a drastic reduction of internal controls and why the rationalization stage is the 3rd most important dollar-saving opportunity that a company has within the GRC domains (after understanding what your company is actually spending for your GRC program on a yearly basis and after implementing the closed-loop control architecture of industry benchmarking)!

Once your business, technical and legal team members have completed their internal controls rationalization process the strategic value opportunities become your low-hanging fruit:

1. 40% reduction in the labor overhead associated with the management of internal controls.

2. 50% reduction in the labor overhead associated with remediation / change requests.

3. 30% reduction in the labor overhead associated with the preparing for an audit.

What is a bit more difficult to measure is the enhancement potential to your corporate brand and reputation. But suffice it to say that it looms as the overall strategic opportunity which any GRC program management needs to keep in mind.

So, how does a firm get started in moving forward? The first step is to assemble and mobilize your teams that will be responsible for managing your GRC configuration management program and the internal controls that fall into the 3 buckets of business, technical and legal. You will also want to involve representatives for your internal and external audit groups. Next, you will want to contact us for helping your team members with overview education and training resources for Common Controls Hub (CCH) and the CCH Data Dictionary.

If you are already working with your GRC configuration management processes, et us know what measurements you are already using and we will pass them on to our Members who have not yet gotten started on their GRC configuration management journey. We look forward to speaking with you about this area and seeing how we can all benefit from core education that supports all processes associated with GRC Configuration Management.

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.