How Good Information Management and Information Governance Helps Our Governance, Risk, and Compliance (GRC) Colleagues

GRC is a popular acronym, and many large corporate entities have multiple Governance, Risk, and Compliance teams spread across different divisions and lines of business, but what is GRC really?

Governance, Risk, and Compliance is a set of capabilities that enable an organization to reliably achieve objectives while addressing uncertainty and acting with integrity. It includes enabling policy, procedure, and technology for good corporate governance, assurance, and management of performance, risk, and compliance. To break it down further:

• Governance is the act of externally directing, controlling, and evaluating an entity, process, or resource to reliably achieve objectives.
• Risk Management describes the actions taken to manage process and resources to address and mitigate risks while pursuing reward, thereby addressing uncertainties in the business operating environment.
• Compliance is the state of being able to fulfill specific requirements, including those imposed by external regulatory bodies, standards associations, and governments, by acting with integrity.

The shape and form of GRC activities depends on the organization and business environment it operates within. There are heavily regulated industries such as the Financial Services sector, or the Pharmaceutical, Health Care, and Bio-tech sector which may lead to a requirement for specialist Compliance groups within the organization. In other industries, Enterprise Risk or IT Risk functions undertake specific GRC activities.

GRC activities can take place at all levels within an organization. The “three lines of defense” model is widely used:

• First Line – risk owners and managers, mostly in the line of business
• Second Line – risk control and compliance, back-office teams
• Third Line – risk assurance, enterprise Compliance teams, Internal Audit functions

Across the 3 lines of defense there are many specific and specialist tasks that need to be undertaken:

• Regulatory Compliance Management requires keeping up with all of the latest regulations (and changes to existing ones). Often, cloud-based Regulatory tools are used to manage the regulation details, provide alerts, and manage obligations.
• Control Mapping occurs once you know what regulations impact your business. Once known, these must be mapped to controls. Library controls are available via specialist GRC software.
• Policy & Procedure Management is the development, management, updating, and dissemination of policy and procedure to all involved stakeholders across the organization.
• Monitoring & Testing includes monitoring the controls that have been put in place and testing the procedures to ensure they are providing the appropriate levels of risk management and mitigation.
• Risk & Controls Assessments is the continuous assessment of risk and the controls designed to manage and mitigate it.
• Training & Education is dependent upon industry requirements and requires annual training and attestation that it has been undertaken.
• Issue Management – or compliance specific ‘adaptive case management’ – is the policy, procedure, tools, and business processes to manage issues that arise from the GRC processes. Issues might be identified at any of the 3 lines of defense.
• Complaint Management is required for some industries and dictates that policy, procedure, and processes must be in place to manage complaints received from customers and clients.

As can be seen above, GRC is broad and potentially complex space, and there are many specialist tools available, with some of the leading enterprise GRC platforms being IBM OpenPages, MetricStream GRC, SAP GRC, and Thomson Reuters Accelus.

These specialist tools tend to focus on the Regulations, control mapping, risk assessment, and controls elements of GRC and can significantly extend GRC’s abilities. Unfortunately, what these tools don’t do well—or at all—is manage the large volume of documents and emails that can be generated by assessments, testing, issues management, and complaints management.

How Information Management Professionals Can Help

As AIIM members and Information Management professionals (whether working in information management groups or governance functions such as record management teams) we can help our GRC colleagues with the expertise, processes, and technology to improve their efforts to manage the mass of unstructured information they generate and work with.

By leveraging the concepts of intelligent information management, GRC professionals can provide structure to processes and content repositories in order to improve efficiency and ultimately help our colleagues work smarter, not harder. Our GRC colleagues are subject matter experts in their own fields and may not have a good understanding of what metadata is and how it can help them search for information. Additionally, they may not have a good grasp of how to use Content Services, Enterprise Content Management platforms, or other technologies to store, organize, and retrieve a large number of documents, emails, and other artifacts generated by their governance, risk, and compliance processes.

As an example, in a major Canadian bank, my Knowledge Management team helped a Compliance team that had to review very large numbers of reports on a daily basis. Unfortunately, this meant printing thousands of pages of paper, physically marking up that paper to show their work, signing it, and scanning it in for return to the line of business. We changed this to a PDF based process, with highlighting and comments in the PDF, and gained approval that the process of saving the document into the document management system (DMS) with its “last modified by” and “last modified date” metadata provided a better audit trail than a date and signature on a scanned copy. This very simple set of improvements saved hundreds of hours across a year, made it far easier for Compliance specialists and their line of business colleagues to collaborate on a report when a discrepancy was identified, and saved a considerable amount of money in printing and storage of paper—which also worked towards the bank’s environmental impact goals.

Over the course of your career you may have GRC colleagues be proactive in reaching out to seek help; or, you may simply be presented with opportunities to educate and assist them as the need arises. As always, we should seek to understand their business problems and pain points in order to bring our expertise in intelligent information management to help them improve their situation.

How is your team currently working with the GRC colleagues without your organization? We’d love to hear your feedback! Email Brit Nowacki to share your thoughts.