produce results overcame governance mechanisms. Overemphasis of how
over whatcan lead to an organization focused on compliance at the expense
of performance. At its worst, this means a company has perfectly clean
audits but goes out of business.
Discovering the Reusable Technology of GRC .........................................
One of the benefits of taking a serious approach to GRC is that new capabilities
are brought into an organization. GRC processes and supporting software exist
to monitor activities of a business. What is less well understood is that the soft-
ware platform that supports GRC is actually a framework that can be used for
many other purposes besides GRC, including CPM, business intelligence,
process optimization, and automating processes for problem resolution.
Right now, GRC software is a bit further along in its maturity, so this section
briefly describes the aspects of the software platform that supports GRC. In
the past, this same layer of software has sometimes been referred to as the
GRC foundation. Whatever it is called, a GRC platform usually provides the
following capabilities that have multiple uses.
Repository ...........................................................................................
A GRC platform must have a repository that stores unstructured items such
as documents and also structured information that describes controls,
processes, events, and so on. The repository must have some sort of reten-
tion management so that auditors can see how information changed over
time and who changed it. All sorts of information can be stored in the reposi-
tory, including predefined parameters and process descriptions that tailor
the GRC application to a particular industry or purpose.
Document management.....................................................................
Documents that describe strategy, policies, controls, and reports delivered to
regulators all must be kept in a central location with versions and a historical
archive. A GRC platform must have a document management solution to per-
form this function. Frequently, this solution is implemented through a stan-
dard that allows any document management system that meets the standard
to be used for the repository. An integrated approach to GRC and CPM lever-
ages the documentation in a shared repository from strategy creation all the
way down to spend compliance of the budget against the strategy.
Chapter 15: Turning On the Lights with GRC and CPM 291
