Would your organization benefit from improved operational efficiency, reduced costs and/or mitigated risk? If the answer is yes, does your enterprise IT strategy address what is needed to achieve real-time Governance, Risk and Compliance (GRC)?

One essential component of a real-time GRC strategy is an enterprise repository of your organization's risk and control business requirements. The ability to map risks and controls to applicable regulations required by your organization such as SOX and GLBA, to best practice frameworks such as Control Objectives for Information and Related Technology (CobiT), Committee of Sponsoring Organizations (COSO), Information Technology Infrastructure Library (ITIL), or International Standards Organization Security Standard (ISO17799), to internal policies, procedures, standards, and guidelines, and to contracts with third party service providers and partners is important to achieving an effective GRC program. When such a repository is combined with information about your organization's risk and control activities, management can more effectively and efficiently govern the resources and processes necessary to support these requirements, as well as respond to the reporting needs of the numerous stakeholders involved in the compliance process. The right repository will also serve as a catalyst for controls automation, providing a flexible mechanism to receive feeds about control testing and evidence from other systems across the organization.

Many of the controls in your organization may already be automated. Are you able to access information about the controls for monitoring? When information such as metrics or automated evidence of the controls status is related to the controls in the repository, continuous monitoring can begin to be achieved with up to date visibility via dashboards. For those controls that are not automated, your enterprise technology strategy needs to take into consideration the technology that would facilitate improved controls. The investment in the technology strategy will depend on the risks of your organization and the strategy to move toward real-time GRC.

Over time, a robust central repository can be the source of much positive change for your organization. As historical data becomes available about pass/fail rates of controls, costs associated with testing and remediation, and time-to-recover from risk-related events, management will be able to effectively rationalize which controls and activities are worthy of the investment the company is making in terms of money and resources.

For most companies, the process of building and establishing such a central requirements repository will be an eye-opening exercise, revealing inconsistencies in processes and methodologies that have been implemented across the organization. Whether those inconsistencies lie in the documentation and testing of controls or the scoring and prioritization of risk, management will have an opportunity to see first-hand how executive directives have been passed down, interpreted and implemented by the various constituents involved in the compliance process. There is little doubt that an exercise which potentially impacts the entire organization might be a painful pill to swallow all at once. For this reason, a pilot or phased approach is recommended. Areas of consideration are beginning with the organization's most mature processes, highest risk areas or most stringent regulations.

Working toward real-time GRC is a journey that needs to be mapped out for people, process and technology. The benefits derived will provide visibility into risks, controls and performance, and improve operational efficiency and effectiveness of compliance activities across your organization. With the right technology in place, management will be able to rationalize existing investments, provide ongoing reporting of compliance activities across the enterprise, and easily adapt today's operations to tomorrow's requirements, as they arise.

Margaret Brooks is VP, Strategic Solutions at CA, 901-433-2572; email: Margaret.brooks@ca.com; web: www.ca.com.