Big Picture Risk Management
FOR YEARS, analysts, consultants, and risk managers have talked about the benefits of improving governance, risk, and compliance (GRC) efforts within organizations. Ideally, GRC programs help generate efficiencies while helping the company manage overall risk. Implementing a GRC program can seem daunting, as it involves so many aspects of managing an organization, but a growing number of providers are offering solutions that make the task more manageable by centralizing and streamlining the GRC platform.
For example, GRC solutions let the company collect risk and compliance-related information and make it available in a single database. Some solutions can map out where regulatory requirements overlap, helping an organization meet its compliance requirements with less redundancy. The solutions can also assist with auditing, giving auditors access to necessary information and reports in one central location.
GRC solutions can help organizations identify activity trends and system weaknesses. Some solutions can also integrate with other security tools, such as vulnerability management solutions, as well as with other outside sources of data and information. Solutions typically can also generate reports that can be read by managers and board members, providing ready access to information about how the organization is faring in many risk-related areas.
GRC solutions can vary widely. Some available solutions focus mainly on compliance, for example. Others can help organizations manage many kinds of operational and business line risk.
Two organizations, Sterling Savings Bank and the George Washington University (GW), have been implementing solutions from two major GRC vendors, MetricStream and Agiliance, respectively. Sterling’s solution, which is cloud-based, is helping the bank manage a wide variety of compliance and risk-related issues. GW is using a solution that, for now, is focused more specifically on regulatory compliance, IT security, and data protection. Both organizations’ experiences with the solutions are described in more detail ahead.
Until recently, Sterling Savings Bank of Spokane, Washington, tended to manage risk mainly within individual business lines and departments. Various departments, such as those focused on credit risk, internal audit, and regulatory compliance, would often use point solutions, such as spreadsheets and various databases, to track and manage GRC-related efforts. Different lines of business were primarily concentrated on their own risk and compliance needs, says Susan Palm, audit and risk review executive at the bank. One primary weakness of this approach is that “what’s best for one line of business may not be best for the whole company.”
One major goal, she says, was to integrate risk and compliance into the overall business, “not to make it additive. When risk management is integrated into the work you’re doing, that’s when it becomes valuable.” The bank also wanted to make the GRC process more efficient and consistent and to be able to generate reports that could provide valuable risk-related information.
Beginning in 2010, the bank looked at a few GRC solutions. MetricStream was appealing because its offerings were strong in auditing and compliance as well as various forms of operational risk. MetricStream also provides the option of a cloud-based service. With the management and updating of the product run by the vendor, Sterling would be able to focus less on the product’s operational aspects and more on generating desired results, she says.
Implementation. After Sterling signed up for MetricStream, the vendor sent a team both to set up the system and to train Sterling executives who would need to use the software. As a part of setting it up, MetricStream staff interviewed the bank’s professionals. In implementing MetricStream, it’s been particularly important to involve managers and other employees from an early stage, she says. It has been important to learn from various managers how they managed risk and stored data, for example.
Since the bank started working with MetricStream, the vendor has also provided numerous suggestions to the bank on practices such as the collection and reporting of risk-related data, says Palm. They also made suggestions on how the bank could get rid of certain redundancies in the compliance data collected by the bank.
A holistic system. Though MetricStream helped the bank refine the solution to best meet the bank’s needs, many of the components of the system had already been designed by MetricStream, says Palm. The vendor offers many plug-and-play components, she says, and the bank hasn’t felt it necessary to deviate far from what the vendor offered.
The solution is highly intuitive to use, says Palm. One advantage of MetricStream over some other products Palm tested is its search functionality. The function is similar to some of those provided by major Internet search engines, she says. The search function allows end-users to type in certain information related to various kinds of risks. Users can also easily pull up information from the centralized database on subjects including past regulatory examinations and audits, GRC-related policies, and vendor contracts and certifications.
The system offers end users dash boards, tables, and graphs showing the risk profile and many other kinds of information. MetricStream also makes it easy to identify trends, says Palm. The bank can see how it has fared in certain auditing tests over time; it can also see how it compares to published industry averages.
The system has already generated efficiencies when it comes to auditing, says Palm. In numerous instances, the bank would collect the same data in different departments pertaining to individual regulations, she says. The centralized database helps ensure that certain information is only collected once. It is then made available to managers and others throughout the organization who need it.
The bank has also used a MetricStream function that lets organizations grant specified viewing privileges to designated users. Auditors, members of the board, and various managers have access to certain data and reports, for example.
Another advantage of MetricStream is that if specified changes are made to the system, indicating, for example, that a regulation has been amended, the system can make changes in all relevant places simultaneously. This functionality is useful because compliance laws are continually evolving, says Palm.
MetricStream has helped management make the bank’s GRC efforts far more efficient, says Palm. But the solution’s greatest benefit may be “more about impact,” she says. The solution is helping Sterling gain a better understanding of how to invest resources to minimize risk. It provides, she notes, a “comprehensive holistic view of risk to managers, the board, and the enterprise.”
George Washington University
When George Guzman was appointed to the new position of director of compliance and risk services at GW in 2011, he turned for help to GRC solutions. In his previous work as a government contractor and in other capacities, Guzman says he had some experience using the platforms, so he was already familiar with the potential benefits.
Like many organizations, GW needs to comply with a plethora of sometimes evolving regulations. In addition, to qualify for and win research funds, the university needed a way to show how it planned to meet data protection requirements. The university also wanted a way to better show members of its board of directors about how it was complying with regulations and managing risk, he says. “We were really looking at professionalizing [such] presentations.”
Producing reports would help show “where our risk areas are,” says Guzman, so board members could take more effective action in response. This could help the university be more proactive in managing risk and compliance, he says, noting that, in the past, the university had been more “reactionary in its response.”
Guzman and other university executives looked at a few GRC solutions. Some provided a plethora of predefined functions, including those concerning financial and operational risk, but Guzman was more interested in a solution that could help with compliance, IT security, and data protection. A product from the vendor Agiliance seemed particularly strong in these areas, he says.
One of the biggest challenges in implementing the solution has been working with the software to generate reports that can be most useful to members of the board and managers, he says. The software is capable of collecting and producing graphs and other data on so many kinds of information that setting it up properly requires some testing, experience, and “tweaking,” he says. “There are a lot of places where you can get off on tangents, but the focus is on making sure you have the right end result.”
Guzman says it’s also important to carefully plan out issues such as workflow in order to gain the most from the system. This has sometimes involved drawing a visual map of such processes before entering information into the system. It’s also important to talk to managers about how they manage risk in different departments.
Agiliance, like some other GRC solutions, can integrate with various security tools, including some popular vulnerability management solutions, says Guzman. He has been working on integrating a vulnerability management solution from Tenable Network Security. One of the strengths of the Tenable solution is its ability to scan and detect security weaknesses in network assets such as servers and routers, he says. Having the Tenable solution integrated into the Agiliance product is beneficial, according to Guzman, because vulnerability management is closely tied into the risk and compliance process. Information from the Tenable solution can be integrated into charts, graphs, and other Agiliance features and reports.
Agiliance cost the company about $90,000, but that is fairly reasonable, says Guzman. Some other GRC solutions, which can assist with a wider variety of risk areas, can cost $500,000 or more, he notes.
Agiliance has given the university a far more efficient and effective way to produce reports for managers and board members, says Guzman. With Agiliance reports, managers and others are able to say “here is the next step or here are the recommendations to help.”
It’s necessary to provide managers and the board with readable reports, showing a more holistic view of compliance and IT security-related risk, says Guzman, “so they know their investments are being used wisely.”
Both Sterling Bank and GW have shored up their GRC efforts, turning a disjointed, sometimes haphazard process into a more coherent view of GRC efforts and goals. Implementing the solutions has helped both entities generate efficiencies and provide easier access and more valuable data on compliance and risk to managers, the board, and auditors. Sterling Bank and GW’s implementations demonstrate how organizations can use GRC solutions.