Corporate Compliance and Oversight Management
Policy and Compliance Management
GRC platforms (more or less) got their start in the marketplace addressing one or more regulatory/control testing challenges for clients. Spending money for technology enablement of compliance processes revolved around becoming more efficient with performing control testing leveraging the use of technology, which did provide benefits if designed correctly. Most of the solutions our team was asked to design or implement revolved around compliance management, especially regulatory requirements mapping and testing. (No more spreadsheets!)
As individual regulatory needs were addressed, clients looked to automate the full lifecycle of compliance management processes. Typical compliance management technology enablement has focused on automating enterprise compliance processes, performing assessments, testing for deficiencies, and managing remediation efforts. The maturing of compliance programs brought with it several daunting challenges. Many of the technology platforms utilized to address control testing are “control centric”– meaning they use a checklist approach (control library–centric) to ensuring control testing efficiencies can be gained. Not a terrible first step, but as more regulations and requirements get added to the technology platform, it quickly starts to become problematic. Other challenges have included how to automate the regulatory change management process (when a requirement changes, how does the change get reflected in the system of record) and how to risk rationalize the controls. These and other challenges have caused new technology platforms to emerge that can be leveraged to support the scalability and asset/risk/control linkages needed to support a mature compliance program.
One of the weaknesses of compliance management technology solutions is that they do not support an integrated risk and control architecture capability and instead rely on providing a set of questionnaires by regulation. Heavily regulated organizations have matured their GRC processes to not rely on using dedicated questionnaires and instead are leveraging an integrated control framework to cover a majority of their compliance requirement assessment and testing process needs.
One of the biggest changes we see in the compliance management solution marketplace is the need to move away from a “checklist” style approach and toward risk-rationalized controls. As regulators move toward risk management and away from control requirements, this is going to be a major shift in solution design requirements. Our experience has been that during the past 10 years, clients could get funding for projects related to regulatory compliance (many cybersecurity vendor purchases were based on regulatory needs)… but not so much for risk-related projects.
The use case for compliance management can be very broad, and as such it is typical for many organizations to have started applying GRC technology solutions to address one or two specific regulatory challenges. It is also common for organizations to start utilizing GRC technology within the IT department to help alleviate constant requests for assessment and testing evidence. Compliance requirements that are considered outside of the realm of IT or more “enterprise” in nature, such as environmental health and safety regulations, are typically added to the integrated control library and managed through the regulatory change management process like any other regulatory requirement. The specialty GRC technology tools have been slowly integrated into centralized platforms as more organizations rely on integrated solutions to support their enterprise compliance programs.
Sargon Solutions has built specialized content (loss events, integrated control libraries) and processes for clients to help improve their compliance management solutions. Common use cases we see from clients include:
Integrated Control Libraries
Compliance Management Frameworks
Control Testing Processes
Remediation Planning and Tracking
Compliance/Regulatory Dashboards and Reporting