iGRC: Intelligent Governance, Risk, and Compliance White Paper
2013
2013 Edgile, Inc. – All Rights Reserved
2013 Edgile, Inc. – All Rights Reserved | 2
Executive Overview
This whitepaper discusses the business needs addressed by Edgile’s iGRC solution, which
introduces a new approach to simplifying a company’s governance, risk, and compliance (GRC)
program. This white paper analyzes the current state of GRC solutions and addresses the
competing goals that exist between software vendor licensing models and a company’s need
for a fully integrated solution. A new lower cost GRC model is then defined, which is born out
of years of practical experience by “Big 4” GRC professionals. This new model incorporates the
following GRC services:
Current State of GRC
The Sarbanes‐Oxley Act, commonly referred to as SOX, was adopted on July
30, 2002 as the answer to financial accounting irregularities through auditor
independence, corporate governance, internal control assessment, and
enhanced financial disclosure. The hangover from the party and related
control bloat is still being felt nearly a decade later as unintended
consequences. A myriad of other mandates – HIPAA, PCI or FISMA – have
resulted in “assurance overhead.” Peeling away the initial layer of complexity (e.g., alphabet
soup regulations) exposes a core set of issues. The issues boil down to what amounts to an
arms race between the one‐off tools and point specific activities addressing each set of
regulations. Every new law results in a new team being assigned to go solve the problem. Every
new team develops its own approach, its own definition of the operating environment, its own
methodology, process, tools and technologies. More people are required to not only develop
the content and control environment, but also to test, manage, and monitor the remediation.
Each law in affect creates a new island of assurance. The result is an inordinate increase in the
amount of time spent on assurance activities and GRC systems, as compared to harmonization
of assurance requirements over time.
2013 Edgile, Inc. – All Rights Reserved | 3
The following diagram illustrates the ever‐increasing expectations of a company’s assurance
functions mirrored by an ever‐increasing amount of time spent meeting those expectations.
The task of managing these assurance expectations is daunting and meaningful relief from
regulations does not appear to be on the horizon. In fact, the situation at most organizations is
getting worse with the adoption of the Dodd‐Frank Act and the increase of OCR audits and
fines related to the enforcement of HIPAA security and privacy rules. The reaction from global
legislators and boards alike is resulting in greater attention and demand for better quality
information of GRC topics. Assurance services (i.e., the audit, risk and compliance activities,
policy and governance management, control testing, finding and remediation management)
are those services that are helping organizations improve the quality, context and quantity of
information so that management can make better and more informed decisions.
The three biggest cost‐factors of today’s GRC programs and solutions are:
Highly Manual Processes
Significant Overlap in Effort
Poor Risk Visibility
Highly Manual Processes: Highly manual processes for assurance services are still the norm at
large and small organizations alike. Anecdotally, one leading Big 4 audit firm was still using
manual, paper based‐work papers as recently as 2012. And that manual mindset permeates
both the firms that provide assurance services and the assurance functions within
organizations. These manual processes result in challenges to ensure quality (e.g., it’s difficult
to reconcile different risk ratings and control descriptions for the same asset in Word and Excel
2013 Edgile, Inc. – All Rights Reserved | 4
documents), and have a high opportunity cost due to time not spent on higher value work (e.g.,
smart remediation planning and execution, assessing emerging technologies, preparing for
changes in the regulatory environment).
Significant Overlap in Effort: Potential for significant overlap is another challenge plaguing
clients. The most common complaint ‐ “We are audited around the same topic, in the same
area, by five different groups. Can’t they share information or talk to one another?” And recent
return on investment analysis performed at clients across industries has demonstrated this
overlap between assurance functions (e.g., compliance, risk, internal audit, security, business
continuity, and external audit) is costing companies millions of dollars each year. According to
a Thomson Reuters press release in February 2012, companies were hit with 14,215 regulatory
announcements globally in 2011, up sixteen percent from 2010. Fifty seven percent of these
regulatory announcements came from the United States alone. With that volume, it’s likely the
overlap, especially for companies doing business in the United States, will continue to be a
challenge.
Poor Risk Visibility: Lack of visibility to risks is another factor resulting in millions of dollars of
avoidable cost. Companies have estimated that a substantial re‐work of a new product offering
or application can double the cost of the implementation due to missing controls needed to
address risk and compliance requirements. The ability to spot risks early, have the right
requirements and information about potential problems, allows management to adopt a more
thoughtful remediation or informed risk acceptance.
A New Approach to GRC
Traditional GRC vendors have tried to address this inefficiency by bundling standalone
modules into loosely coupled suites. This approach makes it easier for vendors to sell separate
modules, but creates automation silos which mirror the organizational silos across a company’s
assurance functions. In contrast, Edgile’s iGRC solution takes a holistic approach with one
integrated application automating all of a company’s assurance services:
One application
One data model
One process model
The designers of iGRC spent the last decade cutting their teeth on all the traditional GRC
products in the market. iGRC was then built from the ground up based on two design
principles. The first principle is that a thoughtful design can synthesize the needs of each
assurance stakeholder into one solution. The second principle is that companies within a given
industry have very similar GRC content needs, which can be pre‐seeded as part of the initial
installation. The first principle results in significant operational efficiency and the second
principle results in faster setup times. This allows a company to save money while improving
their GRC situational awareness.
2013 Edgile, Inc. – All Rights Reserved | 5
iGRC Process
An intelligent GRC process enables both top down management (traditionally only seen in an
Enterprise GRC platform), and detailed bottoms up management (traditionally only seen in an
IT GRC platform). Our cross‐functional processes help assurance organizations streamline and
automate their related activities. Our hierarchical process design facilitates discrete risk and
compliance ratings, while also enabling risk and compliance roll‐up reporting necessary for the
”big picture” view. Unlike other products in the market, iGRC uses an organization‐centric
perspective, not a software module perspective. This gives the customer the ability to do roll‐
up and drill‐down risk and compliance ratings.
2013 Edgile, Inc. – All Rights Reserved | 6
Business Unit – The highest‐level groupings of the organization, the business unit is
generally akin to line of business (LOB) and can be organized in any manner that makes
sense to the organization (geography, legal entity, product, channel). A business unit has
an inherent risk rating, residual risk rating, and compliance rating that considers the
underlying risk units that comprise the BU.
Risk Units – A flexible construct designed to allow for both profit and loss (P&L)
organizational modeling, as well as process or product modeling (e.g., when a process or
service spans several departments). This unique approach allows for both traditional
Sarbanes Oxley department based P&L modeling as well as operational risk and
enterprise risk oriented process modeling. A risk unit has an inherent risk rating, residual
risk rating, and compliance rating that considers the underlying Control Plans that
comprise the RU.
Control Plans – The containers for risk and compliance related information including
controls. Control Plans can take a variety of forms that include business process (e.g.,
Sales), IT process (e.g., Change Management), business function (e.g., legal), application
(e.g., ERP Finance Application), infrastructure (e.g., WAN), property plant and
equipment (e.g., facility), vendor (e.g., payroll outsourcing), data (e.g., PII), and cloud
(e.g., SaaS). The Control Plan allows for high‐level analysis, detailed analysis, or both. A
Control Plan has an inherent risk rating, residual risk rating, and compliance rating that
considers the underlying Controls that comprise the Control Plans.
Control – The most granular level of risk and compliance analysis. Where appropriate,
controls are directly tied to laws and regulations through the Regulatory Requirements
to enable an understanding of the mandates driving the control design and the
consequences of potential non‐compliance if the control isn’t operating effectively.
Test – The assurance activity, potentially performed by multiple audiences (e.g., internal
audit, security, compliance, the business) and tailored to the level of detail and rigor
needed. Whether formal Sarbanes Oxley style testing is needed, or a quick review or
confirmation from the control owner, the test at minimum rates the control design and
operating effectiveness.
Findings – Should a control fail, or pass with findings noted, a Finding is created. A
Finding links directly to a Test and through that linkage, clear transparency to related
mandates is maintained. Findings are evaluated by severity and adjudicated through
either a risk acceptance or remediation decision. A Remediation Plan, discussed in more
detail below, can in turn be linked to the Finding.
Remediation Plan – The project, solution or fix for a Finding is referred to as a
Remediation Plan. Remediation Plans can be developed that address one or more
Findings. Remediation Plans allow for management of the corrective actions, as well as
tracking of costs associated with compliance‐oriented enhancements.
2013 Edgile, Inc. – All Rights Reserved | 7
iGRC Content
iGRC Content offers a better way to address regulatory change management. Our extensive
experience implementing GRC solutions have shown that content is key to achieving GRC
solution efficiency and quality objectives. Edgile provides harmonized laws and regulations in
an easy‐to‐use format for any GRC automation tool or manual compliance programs, and of
course works seamlessly with the iGRC software.
The annual subscription services provide not only the synchronization of the laws and
regulations that matter most to your organization, but also highly useful risk, governance and
control‐related information to help your compliance program run at an optimized level. iGRC
Content is currently available for the following industries:
Financial Services
Healthcare
Life Sciences
Retail
Government
Manufacturing
Gaming
Energy & Utilities
Edgile’s iGRC solution includes content from over 70 sources and quarterly updates, to help
with your risk and compliance programs, including:
Gramm Leach Bliley Act (GLBA)
12 CFR 30 Appendix B
FFIEC Handbooks
Sarbanes Oxley
HIPAA
US Privacy Laws
EU Data Protection Directive
COBIT
PCI DSS
HIPAA, HITECH, HITRUST, Meaningful Use
2013 Edgile, Inc. – All Rights Reserved | 8
21 CFR 11, 21 CFR 820 and General Principles of Software Validation: Final Guidance for
Industry and FDA Staff
NIST 800‐53, NIST 800‐53A, NIST 800‐30, NIST 800‐39, NIST 800‐66
ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27005
Other content accelerators that come standard with the iGRC Solution include:
Risk Register of likely threat‐vulnerabilities categorized and linked
Policy, Standard, Procedure, and Guideline Templates sourced to Regulatory
Requirements
Operating Environment starter kits
Risk Profilers, Risk Methodology and Risk Rollup Techniques
Regulatory Change Management as a Service plug‐in
Control Plan Templates with typical Controls already linked
Audience Specific Dashboards that Inform Management on What Matters Most
Reporting Packages for Laws and Programs (e.g., PCI, FISMA, SOX, etc.)
iGRC Technology Platform
The iGRC Solution embraces industry standard technologies and was built by Information
Security professionals. Typically deployed in a Software as a Service (SaaS) configuration,
freeing our customers up to focus on the high‐value GRC tasks. Compatible with Microsoft,
MacOS, and mobile‐based devices, our technology highlights include:
Key technology features of iGRC include the following:
Configurable by function (e.g., audit, Information Security, risk, compliance, etc.)
Process & workflow models
Interactive dashboards & reporting
Role‐based access control (RBAC) with field level control
A “no install” web‐based client
Support for Microsoft, Apple and mobile phone clients
Industry‐standard encryption
Data import and export capabilities
iGRC Lower Cost of Ownership
We have developed a proven Return on Investment (ROI) calculator, with both hard‐dollar and
soft dollar savings. Lower cost of ownership value propositions include:
One low cost enterprise subscription
Based on standard Microsoft technologies
Replaces the need for multiple piecemeal solutions
Provided through a hosted service
2013 Edgile, Inc. – All Rights Reserved | 9
Getting Started
Because iGRC comes with all the features ready to go out‐of‐the‐
box and a variety of content accelerators pre‐configured and pre‐
loaded, your users are already licensed to use them all and they can
quickly start benefiting from the value of an automated GRC
process. A 30‐minute demo is all it will take for you to be convinced
that iGRC redefines how companies will spend less money and get
better results from their GRC programs in the future.
Contact Edgile today to schedule a consultation and demonstration.
Edgile, Inc. Company Headquarters 7000 N. Mopac Expressway Suite 200 Austin, TX 78731
Telephone: +1 512.241.0919 Fax: +1 512.857.0176 Email: [email protected]