In large enterprises business units are increasingly taking on the job of identifying, assessing and remediation of risk to ensure regulatory compliance.
To help risk officers there’s a wide range of solutions — by one count, over 50 — to chose from which are constantly adding new features and capabilities.
The latest is RSA’s Archer governance, risk and compliance suite, which has been updated to version 6.0 with improvements to help business users, risk managers, and the audit team complete their tasks.
The company said Wednesday the new suite, to be released Nov. 10, includes a workflow engine and user interface across all of the suite’s 13 modules that allows uses to drag and drop steps needed to finish an operation.
For example, customers that use Archer for incident management can more easily design workflows that give staff a screen with a small number of fields for reporting an incident, with increasingly more fields as the report goes up the chain.
“Customer can configure workflows based on their individual business requirements.” Steve Schlarman, an RSA [NYSE:EMC] governance, risk, compliance strategist, explained in an interview.
Another change aimed at making it easier for business owners who have to perform regular risk assessments to do things faster involves an improvement to the operational risk management module that a number of Archer solutions are built around.
“We’ve built a whole new lifecycle for risk and control self-assessment that helps the business owner go through their catalogue of risks, look at what controls map to those risks, provide an insight of whether or not those controls are effective and perform a self- assessment,” Schlarman said.
Also new are task-driven landing pages, which consolidates all tasks a user has to perform across all areas. For example, a system administrator can see a vulnerability identified on a system that needs to be remediated, an upcoming compliance assessment needed to be finished and a new asset or group of assets has been assigned.
There’s no shortage of GRC-related solutions. They include Agiliance RiskVision, BPS Resolver, Brinqa, CheckPoint Software’s Compliance Blade, IBM OpenPages, MetricStream, Modulo, SAS Enterprise GRC, SAP Risk Management and Thomson Reuters Accelus Risk Manager to name a few.
These are not for the faint of heart. As Blue Hill Research, an industry analyst firm, noted in a recent report on implementing GRC solutions, “the expansive reach and complexity of GRC platforms adds to the challenge of implementation and deployment. Often, GRC provides a basic solution framework that must be adapted to an organization’s individual needs and use cases.”
In a study of 21 GRC implementations at very large organizations (medium size 5,700 seats) it found costs ranged between US$75,000 and US$700,000, with a median implementation cost of approximately US$485,000. Time required for implementation fell between three and sixteen months.
Among its recommendations:
— involve IT at the earliest stage of the investment
–build from a clear vision of business needs and process change;
— align implementation milestones to business value requirements and
— seek configurability over customization, where possible.