Some organizations view the assessment and management of their internal controls solely as a compliance activity. On the other hand, other organizations view controls as an integral governance aid to help manage risk and reach operational goals. It is very important for managers leading implementation efforts for GRC initiatives to recognize their organization’s approach so they can succeed not only in achieving compliance but in enabling their organizations to embrace a risk management approach to sustain and reduce compliance costs.

Both approaches enable you to be compliant, but solely looking for compliance ultimately results in a short-term accomplishment that becomes more costly to sustain over time. In many companies, the person implementing cannot exert enough influence to change the view of compliance as something other than a one-time project. In addition, many large organizations take many years to take on the more strategic approach. Implementers need to be aware of two factors: management’s willingness to adopt a more strategic approach, and the capabilities to drive and manage changes in the organization during or outside the project. If management is unwilling, other “natural” change agents might help the implementation team, such as the drive for lower costs in sustaining the program, the desire to reach levels of their competitors, or weaknesses pointed out by auditors that need to be addressed over time.

I’ll compare and contrast the two approaches and explain why more organizations will be entertaining a more strategic part of their governance model over the next few years. I’ll start with an overview of the approaches, and then look at each approach individually.

Two Approaches: Compliance vs. Risk Management

Before the Sarbanes-Oxley Act made management accountable for reporting and assessing their internal controls, management awareness was driven by events such as audits, losses, and inefficiencies. These usually led to revisiting the necessity or design of controls, and then to making sure future events or issues could be more readily discovered before they became significant issues. To comply, these organizations put many manual processes in place to get their risk and control testing and documentation in place using audit resources in hopes of passing their external audit reviews. To avoid independence issues, the same audit firms could not perform both internal and external services — many firms hired other firms to do their internal audit work. The end objective was to be compliant and make sure the company passed its external review. This is the compliance approach, and some organizations still use it to manage their controls. Organizations adopting the compliance approach rely primarily on the control specialists and engage third parties to help develop the required documentation and processes. The emphasis is on meeting the guidelines and regulatory requirements and making sure they have assurance from their external auditor.

Another approach to this process is more preventative and involves risk and control relationships. Organizations adopting the risk management approach previously viewed controls as necessary to avoid a risk. While documenting and evaluating their controls, organizations need to document their processes, identify any risks, and then identify the controls that were in place to reduce the probability of that risk from happening. The cost vs. risk approach measures the cost of control against the risk or bad occurrence. If the risk could produce a very high-dollar or catastrophic event, then the company would be willing to spend more on preventative or corrective controls to avoid the risk or correct it quickly before the loss becomes significant.

The type of organization to use the risk management approach is already very control conscious and deems the additional steps to add verifications of the controls and assurances necessary. In this case, the company rationalizes additional controls based on the risk vs. reward or cost benefit approach. The company scrutinizes additional processes and adopts only those that add value to the organization. When compliance is not the primary motivator for making changes, you can take the proactive risk management approach.

Taking the Compliance Approach

To establish the compliance approach, you first need to document business processes and then identify the risks and controls in the processes. Control specialists use the information you document to evaluate if the controls adequately address the risks in the process. This design assessment might find some control or process deficiencies that can increase the risks or decrease the effectiveness associated with the business process.

After identifying deficiencies in controls, management decides whether to add or change a process based primarily on audit recommendations because it equates audit agreement with compliance. Management views the business case for adding solutions to improve controls or to help automate the process primarily from a cost perspective and whether it resolves an audit issue or reported compliance deficiency.

Organizations wishing to extend their control advisors’ involvement in the process can choose to make their internal audit or a central control group responsible for communicating test plans, frequency, and gathering results from the process. By using an existing group or adding just a few incremental personnel, companies can achieve governance over the process with a relatively low cost to achieve the end objective of compliance. They usually evaluate products based on how well the products help automate existing manual processes. For example, if a company is performing segregation of duties (SoD) manually, then an automated solution might help reduce the effort by enabling the organization to have a much more standard and efficient way to address the control objective across the enterprise.

Taking the Risk Management Approach

The major focus of the risk management approach is to help re-engineer the processes and to make the necessary adjustment to controls or process deficiencies on a cost vs. risk basis. Will the cost of the change help dramatically reduce the potential risk exposure, or improve efficiency? The primary driver for this approach is to see how the company can embed the new requirements for testing and reporting of controls into the existing or new processes.

Organizations using this approach need control advisory assistance, but the goal is to make the operations more aware of the risk and seek a strategic advantage in making future business decisions. If there is not a strategic advantage, they’ll be motivated by wanting to eliminate certain tests or processes. For example, for SoD analysis the risk management approach tries to implement revised processes so a company can eliminate the repetitive analysis and incorporate it in the regular security request process when approving changes to roles or user assignments. This eliminates the requirement to conduct a separate analysis and perform remediation. This requires automation and changes to existing processes to embed these checks into the security processes.

The major driver for evaluating solutions that can help facilitate the risk management approach is to leverage automation that helps integrate the process into existing processes and helps eliminate independent checking each and every period. This not only reduces the effort to achieve compliance but also helps make the existing processes more reliable and efficient.

Contrasting Reactions

Take this example situation: An organization has controls that involve the review of users’ capabilities periodically. This causes it to discover and correct conflicts. Often users were unaware these combinations existed and were not motivated to exploit the combinations. However, the more occurrences that exist, the higher the probability the dangerous combinations could be exploited. Now let’s see how companies can approach the issue.

Compliance approach. Under this approach, the company completes periodic reports and reviews for the area. Personnel work to eliminate the high-risk incidents or all the incidents reported. After the company has corrected these incidents, it has achieved the compliance objective. The primary method is to assess or sample at a point in time and gain acceptance by the auditors that the review, report, and corrections are adequate for management’s assessment of their internal control effectiveness. Manual controls would be required for reviewing reports periodically. Auditors review and conduct tests to make sure the process was adhered to and that it provides a sound basis for management’s statement of internal control effectiveness.

This approach focuses on those risks brought to the attention of management by audits or incidents. Organizations usually decide what to monitor after a bad event occurs. For example, many organizations bought virus software to monitor the occurrence proactively on their networks before a significant event caused down time and severe outages. On the other hand, many more waited until the bad event occurred and then purchased the control after the fact.

Risk management approach. Using risk management, if occurrences in sensitive areas such as cash handling or inventory reach a certain number, the chances for someone to exploit the dangerous combination for personal gain increase. Here is where risk management solutions can help management evaluate the urgency of the situation.

Under this approach, the company could analyze how many of the existing conflicts discovered are actually being used by the same individual. This might be a small percentage of the total occurrences. However, if the company knows both are being executed, it can discover the bad events (e.g., fraud) from just the existence of capabilities that may be available but not currently used. The company can defer some of the cost of remediation because it knows the probability of the bad event occurring is lower for the dormant capabilities. However, once the corrections are made, the company puts preventative controls in place to eliminate the recurrence. For example, a company could decide to insert an automated control so the approver can check for risks before granting new or revised access privileges.

By embedding the control in the approval process, each change to users can highlight the risk before access is given. In addition, mandatory analysis of role changes embeds the control in the role design and testing process before putting them into production for assignment to users. This means that two new risk discovery steps are embedded into the user assignment and role development processes, which gets to the root cause of the problem and eliminates the need for time-consuming periodic reviews by business approvers. The approver can then focus on the issue at the time of the change to a user or role rather than after-the-fact reports. Reports tend to be put aside and reviewed as time permits, whereas approvals are always given attention so operations continue in a timely manner.

The risk management approach has senior management proactively determine the major risks to the operation, what to monitor, and then what processes it needs to put in place to make sure the organization can discover these pre-determined signals so it can avoid or correct risks in a timely manner. Many organizations began to adopt disaster recovery plans as a standard practice. In some cases these plans became a common audit report item as auditors realize the control is a good practice to avoid outages. However, other organizations involved in research were slower to adopt the model because the urgency to resume operations was less of a risk than for a bank, hospital, or other public service provider.

Costs Favor the Risk Management Approach

The approach an organization takes is usually determined by the organization leadership. Organizations focused on audit approval take much longer to get to the risk management approach. It takes a change agent to convince these leaders that the risk management approach can satisfy both strategic improvements as well as compliance. When adding controls, organizations incur two costs: one for the execution of the control and the second for the control testing.

When organizations adopt the risk management approach, the controls are embedded into existing operations to provide more timely risk information so it can be considered when decisions are being made rather than after the fact. Organizations that take this approach incur the cost of the solution, but they avoid the repetitive testing costs by embedding the control into the process. Because the control is automated, it only needs to be tested once or until the program change requires a test to validate it is working as intended.

Gary Dickhart

Gary Dickhart has 30 years of service with two Fortune 100 firms in senior positions in information security and internal audit implementing and improving governance programs. He has helped more than 50 organizations implement GRC products from 2004 and 2005. As the VP of the SAP GRC Customer Advisory Office he has interacted with more than 80 customers in the last 24 months on implementation approaches for SAP GRC solutions. He has held the Certified Information System Auditor designation since its inception in 1979.

You may contact the author at gary.dickhart@sap.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.