What is GRC (Governance, Risk Management and Compliance) Software?
April 14, 2021
Although governance, risk management and compliance (GRC) is not a new concept, it’s not uncommon for us to be asked, “What is GRC software?” After all, our ControlPanelGRC is one the leading solutions on the market today.
GRC software is a set of tools designed to integrate compliance into everyday business processes, such as user provisioning, role management, emergency access management and periodic risk assessment. With GRC software, you can streamline routine audit and compliance processes, while reducing the risk of fraud or malicious activity in enterprise resource planning (ERP) systems.
GRC solutions will:
- Monitor user privileges and access, alerting the organization when a user has a level of access, or performs an action, that may violate compliance requirements or indicate fraud.
- Maintain audit logs and compile reports to facilitate auditing, risk analysis and other GRC processes.
- Serve as a repository for controls, allowing the compliance team to prove that documented policies and procedures are followed.
A Closer Look
GRC has different meanings depending on where you sit in an organization.
For the IT department and related teams in security and compliance, GRC is much more operational and pragmatic in nature. It’s about establishing policies and practices to minimize compliance risk – and then following through to make sure these policies are enforced. Audits for regulations like Sarbanes-Oxley are the milestones by which GRC operates at the IT department level.
At the board of directors level, GRC is about how the company is run (governed). This has to do with the board’s obligation to protect shareholder assets against risk – making sure the company doesn’t run afoul of any laws, including SEC rules, OSHA standards and environmental regulations, to name a few.
Compliance policies exist at the level of software and data. Companies run on software – and rules affecting financial reporting and accounting are embedded in the computer systems that underpin their workflows. This means for many companies, on a day-to-day basis, GRC is a matter of defining and enforcing compliance policies within the SAP landscape.
Modern-Day GRC Threats and Challenges
GRC software exists because the alternative – manual management of GRC – is not a viable option. It may have been once, but today, it’s almost reckless to consider trying to stay on top of compliance and risk management with spreadsheets and legal pads.
Compliance requirements tend to be cumulative. For example, when GDPR came into effect, it didn’t push Sarbanes-Oxley away. Now, you have to comply with both. As a result, managing GRC is a never-ending game of catch up.
At the same time, threats that used to seem remote and improbable now look more serious. For example, in the past, only having a policy to revoke system access privileges for a departing employee was a satisfactory control against unauthorized access. Today, companies also have to worry about current employees selling their ERP login credentials on the dark web. In addition, in the wake of COVID-19, companies have had to increase remote access to their systems, and re-assess risk management and crisis response plans. Stronger GRC monitoring, along with robust security practices, are needed.
Then, there are inevitable changes in system architecture and applications that affect GRC. For instance, many companies are adopting SAP HANA and S/4HANA. This move will (or should) trigger some changes in GRC processes. GRC configuration in an SAP HANA environment requires people who understand the technical layer (e.g. SAP Basis administration), the security model (e.g. SAP Security administration), compliance and business processes.
New requirements drive changes in GRC software too. For instance, we support GRC for SAP for Business on the S/4HANA platform, as well as for new applications developed using SAP Fiori tools. Cloud migrations also affect GRC, so GRC tools must keep up. For example, ControlPanelGRC users can also spin up access controls for their SAP environment in AWS and in SAP cloud applications.
How Much Support Do I Need to Run GRC Software?
Listen to your auditors. The previous level of success your compliance program has had is a good indicator of how much support you’ll need. If your company repeatedly fails audits, or has trouble answering auditor questions from both a software and an internal resources perspective, you’ll benefit from continuous training and support.
Your compliance department needs to continually advance its skill set. The implementation and ongoing administration of the toolsets are also critical. If your auditors have significant concerns every year, it could be a sign your team isn’t able to keep up with new requirements and needs a managed services partner to help.
Implementing GRC Software Solutions
For SAP governance, risk management and compliance, ControlPanelGRC offers a truly turnkey solution. It provides meaningful information for each stakeholder group, along with easy remediation of risks. Managers receive high-level, easy-to-understand outputs. Executives can see graphical reports to better understand potential risks. Technicians have access to root cause analysis to help them remediate risks. All this means improved buy-in, easier audits, and better short-term and long-term success.
The NTT team will:
- Meet with your audit/compliance team
- Install and configure ControlPanelGRC
- Train your staff in the software
- Provide continuing education and IT managed services, if required
Whether you need initial set-up and occasional technical assistance, or prefer outsourcing your entire compliance program, NTT is up for the task.
You didn’t go into business to worry about compliance. Every hour spent poring over compliance reports, meeting with auditors and sitting through risk remediation meetings is an hour you’re not developing innovative products and services. ControlPanelGRC drastically reduces the time requirements of GRC tasks, while providing continuous visibility and deep insight into organizational vulnerabilities. Request a free risk assessment today to learn if ControlPanelGRC is right for you.
Scott Goolik is the vice president of SAP security and compliance at the Managed Services division of NTT Ltd., Americas