Governance, Risk and Compliance

Congress and the White House have presented federal agencies with a significant set of regulatory and financial challenges. Mandates such as Circular A-123 call for improving the accountability and effectiveness of federal programs and operations. Add to that the push to embed better internal controls in the federal government to improve risk management and modeling, and also integrate risk and finance information, processes and systems.

While many agencies have worked for years to implement these requirements, the work is often done in departmental silos with disjointed and sometimes conflicting results. Amid shrinking budgets and intense scrutiny from Congress and taxpayers, federal agencies must get their compliance and risk management houses in order.

Government stands to learn from what the private sector is doing to tighten controls. Forward-thinking agencies will find that the right methodology, supported by the right tools, will greatly benefit the organization by embedding monitoring and reporting into enterprise processes. Not only will agencies gain actionable insight into risk, they will be more aware of opportunities to improve efficiency and effectiveness.

Why is now the time for federal agencies to embark upon a governance, risk and compliance program? A mature GRC program can help move a federal government organization from a reactive stance, where the organization is simply compliant with government regulations, to a proactive position in which the agency is managing risk across the enterprise.

Federal agencies can also achieve benefits and improvement opportunities, including:

• Aligning the organization across multiple functions to proactively identify and manage risks.
  
  
• Saving time, money and resources by automating the risk management function.
  
  
• Creating a single framework by integrating an IT governance function which considers the compliance requirements of financial statement audits, the Federal Information Security Management Act (FISMA), the Federal Information System Controls Audit Manual (FISCAM), the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) certification and accreditations, controls assessments and privacy audits.
  
  
• Providing assurance over control effectiveness on a real-time basis.
  
  
• Increasing audit efficiency through management and identification of risks and controls.
  
  
• Reducing costs associated with tracking and remediating control deficiencies.
  
  
• Developing governance models that reduce red tape to strategically and flexibly respond to changes.
  
  

Accenture has found that federal organizations that are achieving success in compliance and risk management are focusing on three areas:

• Consolidate—Integrating multiple compliance and risk management initiatives with a unified model to reduce redundancy and increase effectiveness.
  
  
• Automate—Using automation more effectively, resulting in stronger controls that are easier to validate at a lower cost, without a sacrifice in coverage.
  
  
• Embed—By embedding context-sensitive controls into the business processes themselves, leading agencies can focus on achieving operational efficiency and accountability.
  
  

Agencies can achieve success and meet strategic objectives at a lower cost when they apply these concepts holistically as part of a governance, risk and compliance (GRC) program. GRC is executed most successfully when multiple functions (e.g., agency management, internal audit, management controls, IT, finance, investigations, legal) collaborate under a common framework to capture an enterprise view of governance, risk and compliance activities throughout the organization.

Every federal agency has a unique mission; therefore the tools to support it must be scalable and customizable. Governance, risk and compliance applications can reduce the cost of compliance, while building a foundation to balance risk management and performance.

Five key factors influence the successful addition of this functionality to the agency’s risk management function:

• Business ownership and participation.
  
  
• Alignment and engagement with representatives from business, functional and implementation teams, security, as well as internal/external audit.
  
  
• Early-modular integration into project lifecycle.
  
  
• Accountability.
  
  
• Solution empowered by people and process, beyond a simple technology deployment.
  
  

Government stands to learn from what the private sector is doing to tighten controls. Forward-thinking agencies will find that the right methodology, supported by the right tools, will greatly benefit the organization by embedding monitoring and reporting into enterprise processes. Not only will agencies gain actionable insight into risk, they will be more aware of opportunities to improve efficiency and effectiveness.

Read the full point of view to learn more about the five key factors.