Thomas Bahr and Michael Neumann work on projects for Enterprise Content Management within the Information Management Competence Group of BearingPoint. They have more than 10 years experience in ECM software.
BearingPoint is an independent management and technology consultancy. Owned and operated by its Partners throughout Europe, BearingPoint is offering its clients the best possible value in terms of tangible, measurable results by leveraging business and technology expertise. The company currently employs 3.250 people in 14 European countries and is serving commercial, financial and public services clients.
BearingPoint’s Enterprise Governance, Risk and Compliance (EGRC) solution is designed to help your organization better identify, understand and manage the dynamic interrelationships between risk and compliance and incorporate those disciplines into daily business activities.
8 Ways SharePoint Helps in Enterprise Governance, Risk and Compliance
1 -- Learn how to manage risks and compliance.
Managing business risk and achieving regulatory compliance are among the greatest challenges that enterprises face. There is increasing pressure to comply with evolving legislation, mandates, standards and regulations designed to protect against an array of risks that span different industries, disciplines, governments and geographies.
Yet in many organizations, compliance and risk management have been treated as silos of responsibility, supported by reactive point solutions that can introduce new cost burdens and complexity. Constant fire drills, regulatory pressure, organizational anxiety and even outright confusion are not uncommon. Despite large investments in this area executives believe their organizations have inadequately addressed the processes and systems dealing with risk, compliance and security.
Top challenges in risk management are
- Prioritizing risks
- Defining control objectives and control activities
- Measuring potential risks and control efficiency
- Constantly being in reactive mode when dealing with risk
2 -- Become “risk adept” rather than “risk-averse."
Take a results-oriented, execution-driven approach to become “risk-adept” rather than “risk-averse.”
A best-leading-industry approach has these elements:
- Use strategies and processes that drive value (access, execute, monitor, remediate and report)
- Establish effective processes integrated with automated workflows to make sure nothing important is skipped
- Maintain a library of tested risk indicators and control activities
- Remain current with new and emerging risk factors and compliance issues
- Leverage insights about leading practices from many industries
The approach should be designed to help your organization better identify, understand and manage the dynamic interrelationships between risk and compliance and incorporate those disciplines into daily business activities.
Build up a global, unified risk and compliance framework that can be vertically tailored to your specific needs, allowing your organization to assert more control over complex and ever-changing risk and compliance dynamics. With this approach, you can achieve greater levels of compliance and better manage risk at less cost with degrees of efficiency and precision not possible with a traditional siloed approach.
3 -- EGRC comprises strategy, business process and technology.
An enterprise wide governance, risk and compliance implementation (EGRC) comprises strategy, business process and technology to give your organization an enterprise-scale platform configurable to address a host of regulatory requirements, industry standards and controls and internal policies. It should help managers and auditors assess the potential effect of threats and vulnerabilities on compliance—including the risk of noncompliance itself—by covering:
- Regulatory compliance: providing a comprehensive framework for managing Sarbanes-Oxley, Japanese Sarbanes-Oxley, Basel II, Markets in Financial Instruments Directive, OMB Circular A-123 and other compliance initiatives.
- Internal policies and procedures: configuring the solution to your organization’s specific needs.
- Enterprise risk management: assessing and managing business risks using key risk indicators that measure risk likelihood and effect, then translates those effects into control objectives and monitors effectiveness through compliance.
For companies based in the United States, the EGRC solution should align with the Public Company Accounting Oversight Board’s Auditing Standard No. 5, which encourages a risk-based approach to compliance under Sarbanes-Oxley Section 404. It gives public companies greater flexibility to focus compliance initiatives on areas that present the greatest degree of risk, such as financial-closing processes or fraud-management controls, rather than on myriad Sarbanes-Oxley-based controls without regard to the importance to their business.
4 -- EGRC is aware of end users needs.
Based on our experience the primary end user wants to...
- Store, access, search, track and manage risk and compliance data, e.g. by a survey functionality that helps users in making a realistic assessment of their current state and also chart out the course of action for their risk or compliance program.
- Automate workflow processes and information routing.
- Prioritize, assess and manage remediation of control deficiencies e.g. by entering Risk, KRI and Compliance data into libraries or link attributes through a hierarchy.
- Collaborate atop a familiar standards-based platform.
- Monitor risk and compliance with metrics, alerts and analytics e.g. by reviewing status of risk and compliance metrics.
5 -- SharePoint offers features and capabilities for EGRC.
Why? Here are some reasons:
- Rapidly acceptable. The familiar Microsoft “look and feel” increases the speed of adoption and reduces users’ resistance to change, while implementing standard libraries for COSO, CoBIT, ISO and ITL
- Configurable versus customizable. Taking advantage of the extensive and flexible software functionality of Microsoft’s applications enables business requirements to be met through configuration instead of the development of custom code. Best examples: are versioning, audit logging, multistage workflow, survey, search, reporting and dashboard functions.
- Practical and cost-efficient. Most organizations have already standardized on Microsoft and have most of the necessary applications to run the solution, thereby reducing acquisition costs and freeing up resources for more value-added activities
6 -- Tips for implementing an EGRC platform.
In order to adequately address ongoing business risk and compliance, organizations need a transparent view of their enterprise. A leading-edge approach has these elements:
- Use strategies, processes and technologies to proactively manage risk and compliance enterprise wide.
- Use automated workflows to increase efficiency and reliability.
- Provide a comprehensive enterprise risk and compliance management framework.
- Build a library of identifiable risk indicators and control activities.
- Stay current with new and emerging risk factors and compliance issues.
- Leverage insights about leading practices from many industries.
- Create a “one size fits one” risk-based compliance solution that will drive business value and reduce costs and complexities.
7 -- Realize the benefits of integrated risk and compliance management.
By introducing an EGRC solution you will realize the following benefits:
- Reduce costs
- Reduce audit fees, fines and penalties through integrated systems, controls, processes and audit trails
- Save internal costs and gain efficiency by redeploying resources from manual and duplicative controls
- Reduce Complexity
- Replace silos of risk and compliance activities with an overarching, integrated view
- Reduce risk and compliance complexity by integrating and de-conflicting risk requirements
- Increase Business Value
- Align a comprehensive risk strategy with specific execution controls through transparent processes and technology
- Make better, informed decisions with forward visibility into risk and compliance through data transparency and real-time reporting
- Improve risk and compliance management with a solid governance structure
8 -- What you need is a Governance Model.
We believe there are 4 key competencies in a governance model: 1) Guiding/Strategizing, 2) Designing/Coordinating, 3) Executing and 4) Monitoring.
- A Steering Committee with executive sponsors will guide the company by defining a policy for EGRC and aligning it with the Information Management policy.
- Project teams will initially design and coordinate processes to enable each business to consistently fulfill their execution obligations for EGRC; and Working Groups will monitor these for continuous improvement.
- Each business will execute and enforce the policies and processes for EGRC.
- Internal Audit will audit and monitor adherence to the policies and processes as part of routine audits of EGRC.
You might also be interested in the following posts:
- 8 things you need to know about SharePoint governance
- 8 things SharePoint 2010 needs to be a true ECM system
- 8 things to consider when implementing SharePoint with another ECM engine
- 8 ways to use SharePoint for social computing
- 8 more things you need to know about SharePoint
- 8 reasons you should consider automatic classification and metadata tagging in SharePoint