Pressure from regulatory bodies, auditors, shareholders and other stakeholders have forced companies to spend more time and money than ever before on their compliance initiatives. As part of these efforts, many organizations are looking for ways to leverage existing technologies and implement new ones to enable their investments to produce better and more efficient compliance results, improve the company’s overall risk management capabilities, and achieve competitive advantage.
Emerging software solutions provide integrated, automated and real-time GRC capabilities that enable better management of business risks. One recent study estimates that corporate spending on just one component of this software landscape – segregation of duties management – will reach $300 million in 2009. Furthermore, AMR Research has noted that companies worldwide are spending an average of US$2.44 million annually on GRC.1
In today’s competitive business climate, it is more important than ever for companies implementing GRC solutions to start with a clear return on investment (ROI) and an appropriate plan to achieve this. Unfortunately, many organizations believe that GRC software purchases provide a “silver bullet” to immediate cost reductions, elimination of compliance issues and improved operational efficiencies. Organizations can only realize these benefits with an appropriate plan and proper implementation of this software.
Challenges and Opportunities
Organizations often make critical mistakes in trying to achieve these benefits quickly and inexpensively, such as:
- “Let’s just buy it.” – Solution selections are made based on ineffective and incomplete criteria, resulting in poor purchase decisions and contract negotiations.
- “Let’s just get it in.” – Solution capabilities and extension opportunities are not well-understood, resulting in missing potential integration points with other systems, and leaving voids that future point solution purchases may fill. These eventually require incremental support and implementation efforts.
- “It’s just a technical implementation.” – Software is loaded and activated without appropriate consideration of specific requirements, resulting in ineffective processes and poor data quality.
- “It’s implemented, let’s move along.” – Initial identified compliance exceptions are not addressed in a structured and planned manner, resulting in inefficiencies and unnecessary time spent researching and resolving discrepancies.
- “I can’t get this to work.” – Personnel are not educated on the intended and appropriate usage of solutions, resulting in failed user acceptance.
Our Point of View
We recognize the importance of effective GRC software to an organization’s overall goals. Integrating software in a cost-effective manner and maximizing the organization’s use of the software’s inherent capabilities are critical elements to measuring the success of the investment.
In order to achieve these benefits and begin experiencing the ROI originally promised, it is critical to plan for and implement these solutions with experienced resources who can quickly apply lessons learned throughout the process, from selection and implementation to ongoing support and remediation efforts.
How We Help Companies Succeed
Protiviti’s experienced professionals plan, manage and execute GRC software implementations by helping organizations secure access to their ERP systems and manage compliance and risk management programs more systemically. Our highly skilled resources use proprietary implementation accelerators to maximize the capabilities of and ROI on these significant software investments.
As our manufacturing client worked its way through a multiyear ERP implementation, it became apparent to them that manually managing security and access was resulting in significant workload and potential control weaknesses. We implemented the software provider’s security and access control capabilities and trained the client on how to utilize the software appropriately. After providing detailed and summary-level analyses of the identified security weaknesses in the organization’s application environment, we worked with client management, process owners and IT security personnel to develop more effective and efficient user provisioning, sensitive access management, and segregation of duties processes within the organization.
As a result of the implementation, the client has significantly increased the automated management of its control environment. Our client now has fewer manual controls, more automated monitoring, meaningful access reviews, less chance for error, reduced hours for compliance testing, and improved IT issue management and security administration. In summary, our client has significantly improved control at a lower cost.