What is GRC Exactly?
Brian Connor – Manager Security & Fraud Protection
There are many industry standards that businesses do or should strive to achieve. GMP, or Good Manufacturing Practices is common in the pharmaceutical industry, and GAAP or Generally accepted accounting principles is applicable for any business that deals with money. One standard that does not seem to be discussed very much in the JDE world is GRC.
This month, we will explore Governance Risk and Compliance (GRC); what it is, what it covers, and why it is or should be the core component of your security posture.
Governance Risk and Compliance is the broad term covering a company’s strategy for corporate governance, enterprise risk management, and compliance with regulatory requirements. GRC can be broken into its’ main components, which may make it a bit easier to understand.
Corporate governance in general is the overall approach of management information and control to ensure that the information that reaches the executive team is complete, accurate and timely in order to support management decision making. In other words, there needs to be clear, complete, and timely communication around all aspects of your security posture. Hiding or delaying reporting on an issue will only compound the initial concern and could lead to disastrous consequences. There are many laws and regulations dealing with timely reporting of security incidents, so a delay in notifying the board of any issues can have significant repercussions on company revenue and reputation.
Risk management is the set of processes by which a company will identify, analyze, and respond to threats based on the likelihood and severity of the perceived threats. Risk management is a continuous process and must involve people from various areas of the business to be sure that all potential risks are accounted for. For JDE, this means involving the business, IT, and Internal Audit. The resulting risk matrix must be published and communicated to the appropriate people.
Compliance is the process of conforming to regulatory requirements, whether they are at the local, state, national, or international level. Absolute adherence to regulatory requirements is not mandatory, but when adherence is not possible or practical, appropriate mitigation must be put in place, communicated appropriately, and actively reviewed to ensure the mitigations are being followed. Don’t forget about GDPR (General Data Protection Regulation) if you have European subsidiaries or do business with companies or individuals in the EU.
So, we have a lot of definitions for GRC, but what IS it? In short GRC is the approach that covers the discovery, intake and analysis of data, creates an action plan for that data based on the risk and compliance factors that can affect it, and the subsequent reporting of the action plan and its’ results. GRC can be applied independently to different areas of a business, but it’s a good idea to have a fully integrated GRC approach across the enterprise.
Now that you have a basic understanding of what GRC is, how do you apply that to your business? Don’t you wish there was a framework that could help define the activities and processes that you need as part of your GRC efforts? Thankfully, there is! The COSO (Committee of Sponsoring Organizations of the Treadway Commission) framework was developed back in 1992 as a model for evaluating internal controls and is still the standard for evaluating the effectiveness of a company’s efforts around GRC.
Typically, in Information Technology, the focus of ERP teams has been in the compliance aspect of GRC, and not much attention is given to governance or risk. Surely you must be joking, my IT department is constantly talking about the risk of malware, viruses, and other bad things! The question is, are they also talking about the risk associated with the application security inside your ERP systems or the risks associated with many of the wide-open file shares typically found in JDE installations? A successful GRC implementation is not a one and done exercise but is a continuous cycle. A strong security posture is one in which there are clear channels of reporting and communication, a well-defined risk matrix, documented adherence to regulatory requirements, and regular monitoring of internal controls by an outside entity. Security cannot be effective if done in a vacuum.
What does GRC based security look like when applied to JDE Security? The initial step is to understand the regulatory environment you are operating in. For example, if you are a publicly traded company, then you are subject to Sarbanes-Oxley regulations. This means there needs to be clear separation of duties in financial transactions, or a well-defined mitigating control (along with the ability to demonstrate the effectiveness of the stated control). Even if you aren’t subject to SOX controls, it is a good idea to use as much of the framework as possible as it helps protect you from financial fraud. Once you understand the regulatory component, you can analyze the risks the business must face (whether from regulatory requirements or from an environmental/business perspective) and determine an appropriate action to mitigate that risk. A mitigation could be changing the access for users or implementing additional checks in the process. An example would be to move the check writing function in Accounts Payable to a manager or higher-level user (that cannot enter or approve invoices) to prevent a user that can enter invoices from issuing payment for those invoices without an additional review of the payments.
Finally, you will have scheduled reporting of known risks, who can execute that risk, and the signoff that there are mitigating controls in place and the business acceptance of the risk. The reporting piece is especially important as that is what provides the complete, accurate, and timely information to the executives to assist them in making business decisions.