A Practical GRC Solution for a Metals Enterprise

Thanga Vijaya, Associate Manager and Amitabh Mishra, Chief Digital Officer, Vedanta Resources | Thursday, 28 December 2017, 06:44 IST

Nowadays industries are going through tremendous transformation. Emerging from a period of market uncertainty, companies are facing with the challenge of finding new ways to create value while managing risks and staying on top of in­creasing regulatory requirements.

Following are some of the challenges industries are facing.

• Effective risk management is top priority for compa­nies. They are struggling to gain greater efficiency in their compliance initiatives, and realizing that proactive invest­ment in enterprise governance, risk and compliance auto­mation yields satisfactory Returns in terms of operational efficiency, sustainability and business growth

• Many companies are aiming to achieve value addition through governance, risk and compliance initiatives, with embed rules, processes and controls that align with the organization’s operating policies and strategic objectives.

• Within organization, many departments are using dif­ferent and multiple compliance tools, working in silos, thus increasing cost, confusion due to duplicity, contra­dictory process leads to huge documentation, reduced trust in risk and compliance data. This prevents executives & senior management to make intelligent decisions in a timely manner.

• Manual process are more prone to error. They are slow­ing down the transfer of virtual business information and keep the focus of the top management away from higher value tasks.

• Integrated risk information for financial reporting in­cluding mitigation if any, compliance and audit manage­ment system, improved operational efficiencies are the need of this hour for industries.

To overcome the challenges, Organizations are trying to frame policies & rules trying to adopt the standards & regulations to meet the compliance requirements. All to get recognized in top of the open competitive world.

Compliance is not a onetime activity or event rather, it should be a sustainable and continuous framework. This binds at the center of an organization and ensures all re­quirements are met at the right time.

Hence holistically, the need for GRC Solutions aris­esacross world, but many questionspopped up.

Which technology tools will be able to provide me ap­propriate solution& answer all my questions?

What type of data are we currently tracking and why?

What type of data do we want to track or analyze & what do we want to know by tracking this?

What types of obligations or compliance demands do we need to meet both internally and externally?

To whom are we required to report this in­formation? How this information’s are passed now?

What are the needs of the organization today, future, considering, Risk manage­ment, audit reviews, regulatory informa­tion & its compliances, standards, controls, policies & procedures, asset management, physical incident records, self-assessment, vul­nerability assessment etc.

Here in our organization, we thought of following points before implementing GRC solution, in addition to the questions.

1. Common organization structure with approval strat­egy

2. Common Risk language, Risk analysis, prioritization of risk, there by segregation of conflict, mitigation con­trol if any required

3. Common process, sub-process in line with compliance / regulatory requirements for accurate, timely, consistent risk data aggregated across the organization.

4. Eliminate all redundant work in various initiatives

5. Eliminates duplicate software, hardware &multiple processes.

6. Providing single version to end users, management, auditors & regulatory bodies.

7. Policy management, integrated documentation man­agement and communication to respective stake holders

8. Business role, profile based access assignment to users across all applications automatically.

9. Clear cut access segregation for administrators and normal users with audit trails of activities.

10. Common access reviews and transparent SOD re­views.

11. Enabling Multiple levels of approvals, authorization for critical data transfer

12. Converting controls from manual to automatic to have a clear dash board to executives, with alert in case of deviation

13. Challenges in integration with other legacy solutions.

GRC software market is mostly dominated by key players in the world like IBM, RSA Archer, Thomson Reuters, SAP, Oracle, RCS Compas etc.

We found that SAP is suitable for our scenarios and implemented SAP GRC for our organization. Following modules are implemented&successful in our organiza­tion.

1. Access Management–Complete access provisioning for all SAP systems and other non-SAP systems are han­dled via this module. All the functionalities of this module are in use. UAR, SOD reviews give an insight to the conflicts & risk with users and helps to review, removeand mitigate risks. Integrated with HR system to have smooth user access provisioning, changes or de-provisioning. Provides transparency in audit trace, helps to have trouble free audit process.

2. Process Management – This provides com­prehensive solution for effective process control management. Give ways to map policies centrally, per­form control design and effectiveness testing, raise and re­mediate issues during testing, having facilities to perform automated, semi-automated, exception based controls, providing management dash boards,provides visibility in documents controls, provides clarity for audit pressures, when handling large amount of information with com­plex process.

3. Risk management – This module helped us to identify all business related risks, establish a uniform risk frame work across the organization, do better assessment, anal­ysis & monitor the magnitude of its impact on regular basis. Helps to track key risk indicators, align with the risk events & with potential consequences. Capture all in­cidents related to risk and further fine tuning the system

Our desired state by utilizing SAP GRC would be,

• Increased automation controls with less manual inter­vention,

• Improved business process performance by implement­ing continuous monitoring tools,

• Tight& secured system control with on time exception alerts, thereby reduction in rework& cost

• Trouble free audit preparation &audit management­creates confidence to employees, management and stakeholders. Changes the perception of audit process as a bur­den to something strength to the organization.

Don't Miss ( 1-5 of 25 )