The Case for Continuous ComplianceJoe Wilson
The challenge of running effective GRC programs has grown as the amount of information these programs track has exploded. This challenge has been made more difficult by the shift in many organizations’ compliance programs into more of risk management or avoidance program. What was previously viewed as a form of auditing or reporting is now seen as a hedge against risk. This GRC model requires a more intensive sampling of information that was done previously.
Unfortunately, with many companies running their GRC programs manually off of spreadsheets, it’s difficult to keep up with flow of information and ensure policies are being adhered to. Problems crop up because GRC policies require continuous adherence, while companies’ monitoring of the processes is mostly intermittent.
In the end, the processes for governance, risk and compliance fail because they’re created to capture a snapshot in time, while the environment is ever-changing. Static or linear processes struggle to keep up. Add in the need for human intervention, especially from someone who is supposed to have full-time responsibilities, you are asking for process breakdowns.
What we’re now seeing is that effective GRC requires a continuous compliance model. Such a model typically includes these characteristics:
|Process Flow Model||Interconnected processes that allow for high volumes of transactions that are triggered by other processes rather than kicked off as reactions to events.|
|Real-time Auditing & Reporting||The demands for information to identify risks has become much more intensive. The ability to automatically provide dashboards, reports, or audit trails without requiring assemblage is critical for speeding up the risk management and mitigation processes.|
|Autonomous Processes||Build core processes to reduce overhead on employees or vendors. Reduces error rates, improves adoption, and improves program performance and reporting.|
|Manage by Exception||Ability to automate the core process to run for most of the routine tasks, but provide the ability to develop exception process handling branches for greater prioritization and process optimization.|
|Multi-Program Configurable Components||Flexibility to configure component elements to support numerous GRC programs, variations in program requirements, segmentation based upon any number of factors (geography, function, department, role, reporting structure, etc.).
Implementation of the continuous model of GRC requires a more in depth understanding of how its elements are connected, though that up front time is offset by the automation of core processes, the ability to configure the exception process, the ability to leverage the same system for multiple programs, and the increase in risk mitigation and liability defense.