Posted by: David Schneier
Audit, compliance, governance, GRC, Regulatory Compliance, risk
I’m something of an advocate for Governance, Risk and Compliance (GRC) and have been for several years. I’ve been known to rant a bit how it’s not properly organized as an acronym because everyone who knows knows that risk comes first and so it should’ve been RGC. But as a discipline and as an approach to designing and implementing controls I’m all for governance being used as the driver to assess, measure and manage risk. And of course if you’re properly managing risk you’re also naturally falling into alignment with all things compliance.
For the most part whenever I see references to GRC in the marketplace it almost always is associated with a software product and not a discipline or a methodology. And in those rare instances where it is in reference to something being practiced it’s often depicted as an advanced formulaic concept that requires a PHD to understand, let alone practice. But I’m certain that’s going to change. With all of the layers of regulatory requirements already placed upon Corporate America and with the very real threat of even more looming large on the horizon I know that eventually companies and institutions are going to be forced to abandon their all-too-common one-off, silo-centric approaches to compliance and commit to a single, well thought out governance program. My best guess is that once the economy begins the slow, steady climb out of its current abyss we’ll start seeing signs of progress on the this front.
And so I’m always monitoring the GRC landscape looking for subtle shifts and changes that may indicate a new advance or important discovery.
Two weeks ago one of those subtle shifts landed tap-dead center on my GRC tracking radar only it wasn’t so subtle.
While working for a client who is suddenly confronted with the demands of a brand new set of regulations I committed to building out a cross-reference matrix by which they can identify commonalities between their different frameworks and look for economies of scale in the work required to comply. But I’m sometimes lazy and decided that somebody somewhere must have already done something like this; I’m smart but I’m not often the first one to think of something. And so a-Googlin’ I went. Imagine my surprise when I not only found what I was looking for but also found that there was a company that created a product that incorporates pretty much every regulation currently known to civilized man and developed a master cross-reference to illustrate all of their interdependencies.
The product is called the “Unified Compliance Framework” and for those people who understand governance and are committed to advancing it from theory to practice this is something akin to the Holy Grail. Simply put UCF monitors the regulatory and industry landscape, identifies emerging requirements/frameworks as well as modifications to those that already exist and conducts an analysis to identify how it relates to other frameworks. This allows any organization to take their existing control framework and use UCF to map those controls across the entire compliance spectrum identifying where one control satisfies multiple frameworks.
Think about that for just a minute. If for example you’ve designed a control for password rules as part of your SOX framework you can use UCF to quickly identify which of the other frameworks that control addresses (several, by the way). If your company conducts business in states that have or are about to have their own data privacy laws with which you have to comply (Massachusetts is the most recent) it’s very likely that not only don’t you have to re-invent the wheel but already have one to use. UCF makes it easy to identify points of intersection thus making the impossible possible. Or rather, it allows you to kill two (or more) birds with one stone (so-to-speak).
I’ve been railing for years against the common approach most companies use in which they design one-off solutions to align with the myriad frameworks they operate under. But it’s been a difficult argument to establish and until finding UCF I’ve had to struggle to make my case. But not any longer.
To validate my take on UCF I showed it to a colleague who is in senior management at a Fortune 500 company and who is himself responsible for IT Governance. He immediately saw its potential and wanted to know who else was using it and how so. I fear I’ve opened up a can of worms though because when I mentioned that I was researching early adapters of UCF he asked if he could join in on the interviews so that he can pick their brains and leverage off of their success. I was looking for validation and instead inherited a partner. But I feel as if though I’m helping create a mini-wave of excietment in the governance space and I’m OK with that.
I’ll have more to share with you over the next few months as I continue to dig into how UCF is being used in support of GRC initiatives. But in the meantime I encourage you to
check them out for yourself. If you’re someone who has a governance role, hopes to have a governance role or simply wants a glimpse into the future of GRC it’s well worth your time.