Dashboard Insight recently spoke with Archer's Steve Schlarman about risk and regulatory intelligence, the top GRC best practices, plus he gives a glimpse into the future of Archer Technologies.
Dashboard Insight: Can you explain risk and regulatory intelligence to our readers?
Steve Schlarman: Risk and regulatory intelligence is gained when an organization has implemented methods to consolidate, correlate and analyze data coming from risk and regulatory management processes - to gather insight into those respective processes. Risk management and regulatory compliance objectives can often be met without any consolidated view, e.g., the SOX audit passed, we made it through the PCI assessment this quarter, etc. However, the ability to consolidate data gleaned from those individual processes allows the organization to actually correlate issues and activities and to streamline and improve the processes, thus providing a new level of intelligence to the overall risk and regulatory management program.
For example, control consolidation and harmonization efforts - a major driver for GRC programs - requires the ability to view controls holistically, whether the controls are implemented to manage business risks, meet compliance objectives or both. Consolidating data such as testing results and compliance state allows the organization to approach this harmonization and move toward the "ask once, use many" concept of management monitoring and compliance testing.
Additionally, risk and regulatory intelligence merges business data into the management processes and views. Integrating actual business data - transaction levels, performance statistics, revenue numbers, etc. - with risk and regulatory compliance data - control measurements, control testing results, etc. - adds a level of business context that truly gives executives the information necessary to make business-critical decisions.
DI: Numerous organizations continue to struggle with how to ably meet compliance requirements resulting from the Sarbanes-Oxley Act (USA) and other securities laws worldwide. What do you think are the top GRC best practices, regardless of where a company is located?
SS: There are many factors influencing GRC practices. The companies that are implementing top-tier GRC programs typically target some common objectives. GRC is viewed as a strategic business imperative and is considered necessary to maintain advantages and create business value. Effective GRC programs should enable the organization to meet regulatory obligations and manage everyday business risks while simultaneously identify potential business opportunities for competitive advantage.
Additionally, companies realize that the silos that have been built over the last several years for regulatory compliance need to be broken down to provide a cross discipline, cross regulation and cross business unit view into the risk and compliance state of the organization. To achieve process sustainability, organizations need to define a GRC architecture that is:
- Unified. If various risk and compliance stakeholders are moving down individual paths, they will not be able to achieve the economies that a sustainable GRC architecture offers. The goal is to provide sustainability and efficiency through a unified view of risk and compliance initiatives. This single lens must also enable stakeholders to focus in on specific areas of interest.
- Automated. Business infrastructure is vast and rapidly changing. The only way to achieve effective GRC is to select and deploy technologies that help the organization automate risk and compliance processes and enforce controls within the environment. Through automation, organizations achieve continuous risk and control monitoring as opposed to the point-in-time spot checks of the past.
- Integrated. A lot of time is wasted in deploying islands of technology that do not work together. Multiple point solutions that span different areas of the infrastructure are costly to manage, fail to deliver a holistic view of the enterprise and cannot correlate analysis to provide more definitive conclusions. Sustainable risk and compliance leverages an architecture that is integrated to facilitate management and reporting across the enterprise.
- End to end. The business environment is complex and distributed, which requires end-to-end management of risk and controls across identities, infrastructure and information in the GRC architecture. Information is at the center of risk and compliance initiatives and an organization needs an end-to-end strategy to define information confidentiality, integrity and availability.
- Easy to use. The users of GRC applications need information and processes presented in a meaningful way. GRC processes must also be easy to use and drive business efficiency. When GRC applications require a lot of technical interpretation, they frustrate the end user and bog down the business.
- Flexible. One of the most important attributes - if not the most important - is that a GRC architecture must be adaptive in order to evolve as the business evolves. Furthermore, business users must be empowered to make changes without relying on costly, time-intensive custom development.
DI: As a GRC solution provider, what percentage of your revenue comes from public sector vs. private sector sources?
SS: The majority of Archer’s revenue comes from the private sector; however, we have many clients in the public sector, which currently constitutes approximately 5% of our revenue. We recently signed a partnership with Nova Datacom and displaced the incumbent IT-GRC vendor. We are seeing strong demand in the public sector and anticipate tremendous growth here for Archer in 2009 and beyond.
DI: How has the recent economic climate affected the GRC solutions industry?
SS: Organizations are faced with an ongoing dilemma: reduce costs now while preparing for the impending increase in regulatory demands and manage risk in a complex business environment. With these challenges comes a tremendous opportunity to respond with innovation rather than knee-jerk reactivity. Business must think strategically and establish a foundation on which to build a longer-term risk and compliance program while immediately solving pressing requirements.
E-GRC platforms can address this dilemma by replacing existing tools (Word, Excel, email, etc.) and manual processes which are inefficient, siloed and fail to deliver an enterprise viewpoint. The platform must be flexible, easy to use and designed for business users, enabling them to capture new information, modify workflow, integrate with other enterprise systems and deliver real-time reports without relying on costly, time-intensive development processes. Organizations with a strategic E-GRC approach, supported by the right technology, are better suited to manage a lean organization. An improved governance process with strong corporate policies that are managed, communicated and measured for adherence allows businesses to manage risks and demonstrate compliance more cost effectively.
Finally, to compensate for a leaner workforce, companies must be able to leverage their knowledge and information across the enterprise. This requires improving control-management processes, facilitating collaboration with the distributed personnel and their responsibilities to impact the full organization. Businesses must also utilize automation to better manage, communicate and measure policy adherence and implement and monitor controls. By minimizing manual, duplicative, time-intensive processes without the expensive overhead of internally developed solutions, organizations will reduce costs and improve operational efficiency. E-GRC solutions are critical to this approach.
DI: What new Archer Technologies products or developments are in the works that you would be able to share with us?
SS: Archer uses a highly innovative system to capture future ideas through an online forum called the Idea Exchange on the Archer Community website. This concept of “community-driven development” allows customers to submit feature enhancements, collaborate with their peers and vote on top enhancement requests via an online social network for GRC professionals and industry experts. This Web 2.0 approach has been extremely powerful in the development of new solutions at Archer. The complete list of scheduled enhancements is extensive and will take our clients’ implementation of best-in-class GRC programs to new heights. As we continue to build out our Enterprise GRC strategy, you will see how Archer bridges the gaps between different business units and can enable the normalization of risk information which creates a common language where IT and operations are on the same page.
Steve Schlarman, IT GRC product manager, brings deep compliance, security and audit expertise to Archer Technologies. Steve joined Archer in January 2009 after the company’s acquisition of Brabeion Software, where Schlarman most recently served as Chief Compliance Strategist. In this role, Schlarman was responsible for product design and architecture, industry input, thought leadership and content management. Prior to joining Brabeion, Steve was a Director in PricewaterhouseCoopers' Advisory Practice focusing exclusively on information security and compliance consulting and auditing. During his 8+ years at PwC, he led a wide range of security and compliance engagements including security strategy, security policy development, IT audits, penetration studies, Sarbanes-Oxley preparation, and computer crime investigation. He has published many articles on GRC and security.