For 15 years, Longevity Consulting LLC has helped federal agencies establish Governance Risk and compliance (GRC) processes. With our understanding of the types of organizational risks and federal regulations that bind organizations, we have helped stakeholders and executives at dozens of agencies identify and mitigate risk throughout the project life cycle. In the following Q&A, Longevity’s Chief Operations Officer (COO) Eric Thompson talks about FedRisk and the importance of tracking risk.
Why do federal agencies need Governance Risk & Compliance (GRC)?
The reasoning is two-fold – from a monitoring and self-monitoring and audit perspective.
GRC provides a mechanism and structure for agencies to evaluate and monitor compliance for institutions impacted by a specific federal regulation. In many cases, agencies are monitoring other entities as well as following the regulations.
For example, in the case of Personally Identifiable Information (PII) and A123 Controls, federal agencies monitor entities that are bound by regulations and how they monitor themselves for regulations by which they are bound.
Why is having the right GRC system in place so crucial to SEC-regulated companies?
We can use GRC to assess and monitor if those entities have those processes and tools in place for the organization. GRC is critical for SEC-regulated companies because it’s about ensuring those firms have the right tools and mechanisms in place to assess many factors. For example, accounting methods, ethical factors (ethics and complying with what is ethical and right by consumers and shareholders), standards and quality controls, and ensuring that they have those mechanisms in place.
What are the first things organizations should do in planning for GRC management?
Once there is a clear understanding amongst stakeholders of the business area in which the organization operates and the compliance and regulatory areas they are bound by, the organization should start to assess the specific types of risk may be involved, whether it be risk for the mission, such as specific business areas, or something directly tied to one of the regulatory requirements that the organization needs to meet (fines, reputation risk, impact to overall revenue structure, funding, etc.).
If they are not complying with certain regulatory requirements, they should start assessing the severity of those risks and determine prioritization. A GRC tool is instrumental in this – it allows the organization to assess their key risks and report back to stakeholders for each set of activities associated with mitigating risks and their controls. That, in turn builds a good framework for automatic auditing, to see how the organization is complying with each of the regulations and gives a health check for each.
It’s also important to identify the people in the organization to identify risk and determine how you manage it, and take both a top down and bottom-up approach to risk control, and get stakeholders on board to address them. If you are serious about GRC, you need senior leadership buy-in as well as people working within the organization to assist with implementation of the GRC program.
How does FedRisk address the common challenges managers face with GRC?
Our goal is to provide an end-to-end solution that gives organizations the ability to quickly identify a governance framework specifically associated with a project or a regulation that the organization is bound by, and then assess the project requirements. We built all that into the tool to help organizations get started in the process without some of the typical challenges.
The software can help you track down requirements and figure out how you are going to manage them and what you will have as your data store. All that information can be pushed to end users on more of a system generated and time-based type schedule so that the end user doesn’t always have to initiate. The system provides notifications and summarized metrics that give an indication of the status of any given audit or risk that’s been defined in the system.
What trends in GRC did you consider in developing the FedRisk solution?
Our developers worked from the perspective of the users who we know can greatly benefit from frameworks already baked into the system. We integrated more than 20 frameworks into FedRisk out-of-the-box, as a SAAS-based platform that is cloud-hosted and supports simultaneous users throughout the organization. We also incorporated into FedRisk a Work Breakdown Structure (WBS) component that allows us to track structures associated with any project in particular, but specifically those most beneficial and integrated with risk-based projects defined by GRC.