Infogov and GRC

“The landscape of governance, risk management, and compliance initiatives is broad and littered with a variety of specific standards and frameworks.” Michael Rasmussen of Corp-Integrity said.

“Each of these specific frameworks may be good at what they focus on – but they fail to link GRC together and put everything in context with each other. Risk management, security, corporate governance, control, security, compliance, audit, quality, EH&S, sustainability – all have their respective islands of standards. This makes putting a GRC strategy in place that bridges these silos difficult as the language, implementations, and approaches are quite different. In fact – organizations trying to get an enterprise view of risk and compliance desperately search for a GRC “Rosetta Stone.”

“Not so” said Stephen Hall of Infogov. “We set out to build Proteus Enterprise as a multi-standard GRC platform…operating on common data. Proteus Enterprise™ software recognises and adopts a ’standard’ approach to the convergence of Corporate Governance, Compliance with multiple standards and Risk Management. Proteus is the one that succeeds in linking GRC together and putting everything in context with each other.”

Proteus® software http://www.infogov.co.uk/downloads/index.php has a history dating back to 1995 when the BSI (British Standards Institution) first adopted the original software as the preferred tool to automate the BS7799 Code of Practice for Information Security Management.”
“In one web based multi user, multi site, multi standard GRC knowledge environment:

- Controls, policy, roles and assets mapping
- Policy distribution
- Training attestation
- Control self-assessment and measurement
- GRCM asset repository
- Remediation and exception management
- Compliance and risk management with reporting and dashboards
- Worldwide view with drill down to line items on site for all GRC activity augmented by traffic lights

Proteus automates compliance and risk management of any Law, Regulation, Standard, Policy, Contract, SLA or management plan.”

“Just look at the library of standards we have for Proteus”, Stephen said: “BS ISO 27002 Full and Lite, ISO 27002 (also available in Spanish, Italian, and French), Call Centre Security, BS 25999, Physical Risk Audit, Gambling Commission (Online Gaming), CobiT 4.1, Data Protection Act (UK), EU Data Privacy (Italian and Spanish), ITIL V3Civil Contingencies Act, Freedom of Information Act, SOX (CobiT controls and full), SAS70, PCI DSS, ISF Health check and SoGP, ISO 38500:2008 ‘Corporate governance of information technology’ and OHSAS 18001. Others on request.”

“And we have another 140 planned!”

“The product strategy has led the way for the market, and is founded on the principle of automating best practice as documented in many British (BSI), International (ISO), and Industry Standards e.g. PCI DSS and CobiT, or indeed client specific control frameworks. It is built in such a way as to fully integrate Compliance, Risk Assessment, Impact Analysis, Incident Management, Document Control and Dissemination, but in a very flexible model that allows implementation to suit the client’s priorities and preferences.”

Stephen added “Michael is quite right to say that there is only one framework that I see that brings this universe of GRC into a common language, process, and architecture – that is the OCEG Red Book (v2) and its GRC Capability Model™. Although various standards and guidance frameworks exist to address discrete portions of governance, risk management and compliance issues, the OCEG GRC Capability Model™ is the only one that provides comprehensive and detailed practices for an integrated and collaborative approach to GRC.”

“Proteus supports the GRC Capability Model and is a complete GRC business architecture. Applying the elements of the GRC Capability Model™ and the practices within them, augmented by Proteus as the underpinning enable technology will allow an organization to:

· Achieve business objectives
· Enhance organizational culture
· Increase stakeholder confidence
· Prepare and protect the organization
· Prevent, detect and reduce adversity
· Motivate and inspire desired conduct
· Improve responsiveness and efficiency
· Optimize economic and social value“

Stephen concluded “Yes, the GRC Capability Model™ describes key elements of an effective GRC architecture that integrate the principles of good corporate governance, risk management, compliance, ethics and internal control….and it provides a comprehensive guide for anyone implementing and managing a GRC system or some aspect of that system. But the following 8 components of the OCEG GRC Capability Model™ is more efficiently and effectively implemented when done so through a truly universal GRC platform in Proteus:

1. CULTURE & CONTEXT. Understand the current culture and the internal and external business contexts in which the organization operates, so that the GRC system can address current realities – and identify opportunities to affect the context to be more congruent with desired organizational outcomes.
2. ORGANIZE & OVERSEE. Organize and oversee the GRC system so that it is integrated with and when appropriate modifies, the existing operating model of the business and assign to management specific responsibility, decision-making authority, and accountability to achieve system goals.
3. ASSESS & ALIGN. Asses risks and optimize the organizational risk profile with a portfolio of initiatives, tactics, and activities.
4. PREVENT & PROMOTE. Promote and motivate desirable conduct, and prevent undesirable events and activities, using a mix of controls and incentives.
5. DETECT & DISCERN. Detect actual and potential undesirable conduct, events, GRC system weaknesses, and stakeholder concerns using a broad network of information gathering and analysis techniques.
6. RESPOND & RESOLVE. Respond to and recover from non-compliance and unethical conduct events, or GRC system failures, so that the organization resolves each immediate issue and prevent or resolve similar issues more effectively and efficiently in the future.
7. MONITOR & MEASURE. Monitor, measure and modify the GRC system on a periodic and ongoing basis to ensure it contributes to business objectives while being effective, efficient and responsive to the changing environment.
8. INFORM & INTEGRATE. Capture, document and manage GRC information so that it efficiently and accurately flows up, down and across the extended enterprise, and to external stakeholders.”

Please reply back with your feedback and thoughts. How do you see organizations bringing together an enterprise view of governance, risk, and compliance? In today’s complex business environment a failure to get an enterprise perspective on this is a recipe for disaster.

This entry was posted on Thursday, July 23rd, 2009 at 10:36 pm and is filed under Infogov General News. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.