Leveraging GRC Tools for Business Continuity Management

Close call arrowThroughout this series of posts, we have been exploring the benefits of automating the various components of governance, risk and compliance (GRC) and the ways in which such automation—facilitated through the tools of a GRC platform and aligned with the business’s enterprise applications—could lead companies toward an integrated approach to compliance with government regulations, internal policies and industry standards. Through such integration, companies may reduce their compliance efforts by combining similar, duplicative controls from disparate regulatory and policy requirements into one consolidated view. At the same time, such efforts may contribute to risk mitigation by creating a centrally managed, consolidated controls framework that can be sustainably monitored, measured and adapted as the control environment shifts.

The end result? Greater compliance, improved process and cost efficiencies, and more effective operations both in good times and in bad—including really, really bad.

Which leads us to the topic of the day: business continuity and disaster recovery, or BC/DR. As has been amply proved over the past decade-plus, we live in an age in which the combination of a more complex, interconnected business landscape with more frequent and severe natural and man-made disasters has set the stage for cascading business interruptions when disasters do occur. Last year, the damage inflicted to New York by Hurricane Sandy had ripple effects worldwide, with the closure of Wall Street upsetting global financial activities, power outages at data centers disrupting Internet linkages and the closing of Northeastern ports disrupting supply chains. In 2011, the Tohoku earthquake and tsunami in Japan disrupted not only Japanese manufacturers but companies worldwide that were dependent on components from the affected geographies.

While these and other crisis events have driven business continuity into the top ranks of business risks, the complexity of today’s operating environment has substantially amplified the difficulty of creating comprehensive BC/DR plans that address the full disaster risk life cycle: from identification of possible disruptive events to preparation for those events, design of physical safeguards to protect people and property, establishment of organizational structures to manage emergency response, establishment of plans to achieve operational recovery and post-execution analysis to promote greater future resiliency. Beyond the need to protect life, limb and data, it’s all about ensuring the recovery of critical business processes and systems, prioritized according to their importance, and anticipating and mitigating the reputation, compliance, revenue and expense management impacts of a crisis.

In creating and testing their BC/DR plans, today’s businesses must take into account not only typical disaster preparedness issues such as power and communication system failures and transportation infrastructure breakdowns, but also such business variables as increased reliance on outside vendors, business process automation and vulnerable global supply chains. The complex interrelationships and competing demands of these and other inputs argue strongly in favor of leveraging GRC technologies, which can help companies develop and manage their BC/DR policies, store their testing workflows, track breakdowns and bottlenecks and maintain and regularly update their validated plans. The technology is really nothing more than a repository, but it’s a smart repository; it gives companies a central node for policy, process and procedure, and provides a platform on which to build and store policies, make them accessible to all relevant stakeholders, take them through the testing process, generate the appropriate procedures and then maintain the information for future accessibility.

The technology allows you to connect all the dots and also helps promote more structured information-sharing across the organization, linking BC/DM with other risk management efforts: enterprise risk management, business development, IT security, physical security, quality, compliance, legal, insurance, human resources and internal audit. In the area of IT access controls, for instance, such information-sharing allows the controls to be tested once and then applied not only to SOX compliance but also to the IT aspects of business continuity planning. The GRC platform can also include a repository of legal and regulatory requirements and automated response processes for dealing with specific related incidents—for example, a cyber attack and resultant data breach.

In addition to the cost savings that will accrue from eliminating duplicative testing, the sharing of information and the caching of that information within a central GRC platform gives businesses an enhanced view of their risks across the organization, which allows them to prioritize risk mitigation efforts and enhance their ability to manage risk strategically. In the BC/DM sphere, that translates to an enhanced ability to map a company’s business processes and associated physical and infrastructure components (e.g., manufacturing sites, vendors, supply chains) against a map of the risks inherent to those processes, their geographical locations and their place and linkages within the product chain. From there, businesses may be able to identify and prioritize critical functions and establish workarounds that will allow those functions to return quickly to operation when deprived of their usual support structures.

Whether we’re talking about business continuity, FCPA compliance, or anything else, the point is that these are all business processes with a similar arc, from policy to risks to controls to testing. The more you can automate these elements and aggregate them in one place, the easier it will be to integrate them and reap the rewards of efficiency, accuracy, compliance and organizational clarity.

 

About the Author

Joe DeVita

joe-devita-pricewaterhousecooper-pwcJoe DeVita is a partner with PricewaterhouseCoopers, based in the New York Metro area, and leads the governance, risk and compliance (GRC) technology practice for PwC. Joe works with clients to improve and optimize controls around the financial reporting processes, including business process and IT management controls and IT Security and governance reviews. He also assists clients with application selection, implementation, and optimization of Oracle applications including Oracle E-Business Suite and Oracle GRC Suite. Joe has more than 21 years of IT development, implementation and project management experience and has worked with many of the firm's key clients, including JP Morgan Chase, BP Amoco, IBM, NIKE and Toyota Motors, working with many key issues surrounding risk management and IT controls, including:

  • Assisting our clients to optimize their risk and internal control activities, including SOX readiness/optimization activities, through assessing the effectiveness of internal controls, ensuring alignment with the organizations business objectives and risks and using control activities to drive process improvement and enhanced business value
  • Custom developing and deploying solutions for clients to facilitate various processes not captured in the core ERP environments.
  • Ensuring IT is aligned to organizational strategy, responsive to a changing business climate, with clearly defined policies and procedures that take into account legal and regulatory compliance requirements
  • Enhancing the process of developing robust controls around pre- and post-implementation system reviews through a clearly defined project management methodology that emphasizes the importance of benefits management
  • Performing third-party and other opinion-level services in response to service organization requests from customers for information about internal controls or requests for access to audit (generally in accordance with contractual agreements)
  • Assisting ERP clients to optimize and sustain a real-time controls environment at an enterprise level. We evaluate the effectiveness of current controls and develop a plan to rationalize financial and operationally significant controls. We subsequently design and implement a full range of simplified, standardized controls within core business applications that enables the company to document, monitor and continuously assess the effectiveness of those controls in a real-time environment
Joe is a Certified Public Accountant (CPA), and a Certified Information Technology Professional (CITP). He also holds a Bachelor of Science degree in Business Administration from American University in Washington, D.C.