The importance of risk and compliance has dramatically increased over the last years to improve corporate governance. Organizations are addressing the governance challenges, primarily as a consequence of regulatory requirements, business transformation, emerging risks and large scandals in corporate governance. Many organizations are struggling to focus their risk and compliance programs to meet stakeholders’ expectations.
A large number of GRC services and solutions are currently available from large and niche consulting firms to support an integrated control model. A GRC platform is offered as a transparent system of collaboration to orchestrate control activities across business. While organizations can fairly deal with the “G”, the “R”, and the “C” as independent departments, the integration of them was proven to be difficult, leading to control gaps, redundancies, inefficiencies and conflicts. A plethora of GRC modelling proposals exists both in the commercial arena and in the research community (Racz et al., 2010). Business intelligence has the ability to easily model control objectives and to address holistic risks.
The integration of controls, protocols, key indicators and reports into a GRC platform facilitates the automated detection of risks and the audit of compliance procedures. A major issue about this approach is inflexibility to maintain the control repository for a complex and dynamic environment while using a single solution. The diversity of emerging risks requires a grounded approach to support a “compliance by design” model. Business intelligence allows the GRC departments to model the control framework to produce breach alarms, monitor performance and simply assurance.
The capability to capture and to change control requirements through a common GRC modeling framework facilitates the management of the controls and the enterprise applications. Business process management, as a common framework for business intelligence, allows enforcing corporate compliance and meeting control objectives. It helps to link what need to be done (nominative compliance approach) with how the control activities should be performed by the business process owners (descriptive internal audit approach). It is essential, then, that business, compliance, and control objectives are jointly designed to converge in common rules (Shazia at al., 2007). Regulations, compliance and internal control directives are complex and vague. These mandates of permissions and prohibitions, often written in legalese or technical jargon, are translated by subject experts into rules for a single control repository. These rules can trigger violation alarms and control remediation protocols that may surface at runtime.
Example: U.S. anti-boycott laws scenario
This scenario shows a set of simple rules to integrate control actions with compliance risks in a company under SAP and business intelligence.
A GRC platform based on business intelligence allows organizations to easily maintain and adjust their compliance requirements to highlight control violations and report key compliance indicators.
Get the latest in corporate governance, risk, and compliance on Twitter