A Practical GRC Solution for a Metals Enterprise
Nowadays industries are going through tremendous transformation. Emerging from a period of market uncertainty, companies are facing with the challenge of finding new ways to create value while managing risks and staying on top of increasing regulatory requirements.
Following are some of the challenges industries are facing.
• Effective risk management is top priority for companies. They are struggling to gain greater efficiency in their compliance initiatives, and realizing that proactive investment in enterprise governance, risk and compliance automation yields satisfactory Returns in terms of operational efficiency, sustainability and business growth
• Many companies are aiming to achieve value addition through governance, risk and compliance initiatives, with embed rules, processes and controls that align with the organization’s operating policies and strategic objectives.
• Within organization, many departments are using different and multiple compliance tools, working in silos, thus increasing cost, confusion due to duplicity, contradictory process leads to huge documentation, reduced trust in risk and compliance data. This prevents executives & senior management to make intelligent decisions in a timely manner.
• Manual process are more prone to error. They are slowing down the transfer of virtual business information and keep the focus of the top management away from higher value tasks.
• Integrated risk information for financial reporting including mitigation if any, compliance and audit management system, improved operational efficiencies are the need of this hour for industries.
To overcome the challenges, Organizations are trying to frame policies & rules trying to adopt the standards & regulations to meet the compliance requirements. All to get recognized in top of the open competitive world.
Compliance is not a onetime activity or event rather, it should be a sustainable and continuous framework. This binds at the center of an organization and ensures all requirements are met at the right time.
Hence holistically, the need for GRC Solutions arisesacross world, but many questionspopped up.
Which technology tools will be able to provide me appropriate solution& answer all my questions?
What type of data are we currently tracking and why?
What type of data do we want to track or analyze & what do we want to know by tracking this?
What types of obligations or compliance demands do we need to meet both internally and externally?
To whom are we required to report this information? How this information’s are passed now?
What are the needs of the organization today, future, considering, Risk management, audit reviews, regulatory information & its compliances, standards, controls, policies & procedures, asset management, physical incident records, self-assessment, vulnerability assessment etc.
Here in our organization, we thought of following points before implementing GRC solution, in addition to the questions.
1. Common organization structure with approval strategy
2. Common Risk language, Risk analysis, prioritization of risk, there by segregation of conflict, mitigation control if any required
3. Common process, sub-process in line with compliance / regulatory requirements for accurate, timely, consistent risk data aggregated across the organization.
4. Eliminate all redundant work in various initiatives
5. Eliminates duplicate software, hardware &multiple processes.
6. Providing single version to end users, management, auditors & regulatory bodies.
7. Policy management, integrated documentation management and communication to respective stake holders
8. Business role, profile based access assignment to users across all applications automatically.
9. Clear cut access segregation for administrators and normal users with audit trails of activities.
10. Common access reviews and transparent SOD reviews.
11. Enabling Multiple levels of approvals, authorization for critical data transfer
12. Converting controls from manual to automatic to have a clear dash board to executives, with alert in case of deviation
13. Challenges in integration with other legacy solutions.
GRC software market is mostly dominated by key players in the world like IBM, RSA Archer, Thomson Reuters, SAP, Oracle, RCS Compas etc.
We found that SAP is suitable for our scenarios and implemented SAP GRC for our organization. Following modules are implemented&successful in our organization.
1. Access Management–Complete access provisioning for all SAP systems and other non-SAP systems are handled via this module. All the functionalities of this module are in use. UAR, SOD reviews give an insight to the conflicts & risk with users and helps to review, removeand mitigate risks. Integrated with HR system to have smooth user access provisioning, changes or de-provisioning. Provides transparency in audit trace, helps to have trouble free audit process.
2. Process Management – This provides comprehensive solution for effective process control management. Give ways to map policies centrally, perform control design and effectiveness testing, raise and remediate issues during testing, having facilities to perform automated, semi-automated, exception based controls, providing management dash boards,provides visibility in documents controls, provides clarity for audit pressures, when handling large amount of information with complex process.
3. Risk management – This module helped us to identify all business related risks, establish a uniform risk frame work across the organization, do better assessment, analysis & monitor the magnitude of its impact on regular basis. Helps to track key risk indicators, align with the risk events & with potential consequences. Capture all incidents related to risk and further fine tuning the system
Our desired state by utilizing SAP GRC would be,
• Increased automation controls with less manual intervention,
• Improved business process performance by implementing continuous monitoring tools,
• Tight& secured system control with on time exception alerts, thereby reduction in rework& cost
• Trouble free audit preparation &audit managementcreates confidence to employees, management and stakeholders. Changes the perception of audit process as a burden to something strength to the organization.