A Governance, Risk, and Compliance (GRC) tool is an enterprise system used for the integration and alignment of those three areas necessary to avoid conflicts, wasteful overlaps and gaps. Through coordination, communication, and workflow processes, IU’s Enterprise Governance, Risk and Compliance (EGRC) assists with:
- collecting information about regulatory, legal, and institutional policies and standards safeguard obligations;
- orchestrating compliance activity, assessing risk and compliance adherence, and identifying control weaknesses; and
- providing feedback to units and administration, typically through a "dashboard," such that they can prioritize risk and align resources in a more effective manner.
As a means to achieving the aforementioned benefits, the EGRC is built upon a solid foundation that includes: compliance management, risk management, process governance, incident management, privacy, and vulnerability management. Powerful enterprise statistics and analyses can be completed and provided to university executive administration and other appropriate areas such as compliance officers, legal counsel, and internal audit. This will enhance university-wide compliance planning and enable offices to more effectively identify where to focus awareness, education, and resources.
Existing activities and initiatives
Compliance Obligation Tracking
Compliance Officers (CO) and Subject Matter Experts (SME) throughout the university have direct compliance responsibilities in communicating obligations to the IU community. These COs and SMEs are surveyed, at least annually, to provide an inventory of external obligations in which they assume responsibility for. In addition, new obligations can be submitted throughout the year as new regulations take effect or awareness of an obligation is made. Currently identified COs and SMEs are part of IU’s Compliance Exchange (http://protect.iu.edu/compliance/IU#exchange).This better enables the Chief Compliance Officer to support university compliance responsibilities and efforts.
HIPAA Privacy and Security Compliance Assessment
This assessment process (questionnaire) is led by the Interim University HIPAA Privacy and Security Officers based on HIPAA Privacy and Security Compliance obligations and risk management. This process includes the automation of the assessment, remediation cycle and email reminders. Each assessment is assigned a score based on responses provided. Scores are saved and progress can be monitored as gaps in compliance are addressed and controls implemented. Assessment dashboards make it easy for Compliance Officers or other administration to see areas or units that need addressed and focus resources in those areas. This process is being piloted by the South Bend Campus.
Computer Storage Device Retirement
Provides a method for units to verify and document the handling of retired computing storage devices from the time the unit retires such a device from service until it is handed off to another party or destroyed. The EGRC pulls in asset data records, including information from the Capital Asset Management System (CAMS) and the System Center Configuration Manager (SCCM), and stores information that enables the unit to track how the asset was disposed of, how the hard drives are wiped and confirmation that items sent to another party were received. The Bloomington Libraries and Bloomington Surplus Store are working together to pilot this process.
Third Party Security Assessment
The third party security assessment evaluates the potential security risk involved when third parties will have access to the university’s critical data. In the EGRC, this process automates the assessment, remediation cycle, notifications and email reminders. In addition, departments requesting third partines to have access to the university’s critical data are able to follow the assessment throughout the evaluation process and are notified when the assessment status changes. The University Information Security Office (UISO), Purchasing, Data Stewards, Compliance Officers, department owners and vendors have various access levels to this process and keep the processes moving through its lifecycle.
Enterprise Risk Management
The Enterprise Risk Management (ERM) module is an infrastructure for Indiana University’s ERM process that assists in the identification, assessment, management, and monitoring of Risks based on a modified version of the COSO model. The EGRC module keeps overall inventories and dashboards for statuses, Risks, Risk owners, Risks areas, Risk subareas, controls, objectives, and opportunities based on the ideology that each element can be developed, tracked, and cross-referenced throughout the entire process. This includes the use of surveys and assessments, Risk ratings and weights, and the Risk response.
If you have an activity or initiative like those mentioned above please contact us to discuss the possibility of using this tool. These can be set up quicker than new submissions.
If your activity or initiative is not one of those already mentioned, but perhaps similar and you feel the EGRC can be a valuable tool please contact us to discuss your process and we will prioritize it with our list of other future activities and initiatives.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of five private sector organizations dedicated to providing leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence. For more information, visit www.coso.org.
ISACA provides practical guidance, benchmarks and other tools that use information systems. Through comprehensive guidance and services, ISACA defines the roles of information systems for industry-leading governance, risk management, security, audit and assurance programs worldwide. For more information, visit www.isaca.org.
The Risk and Insurance Management Society, Inc. (RIMS) is a global not-for-profit organization representing industrial, service, nonprofit, charitable and government entities throughout the world, and maintains a dedication to advancing the practice of risk management. For more information, visit www.rims.org.
OCEG is a nonprofit organization that assists organizations drive principled performance and integration of governance, risk management, and compliance processes through the guidance of standards, community practice, and evaluation criteria while acting with integrity.
Indiana University is a premium member, with access to multiple resources including the Burgundy Book: GRC Assessment Tools and the Red Book: GRC Capability Model. For more information, visit www.oceg.org.
Society of Corporate Compliance & Ethics (SCCE)
A nonprofit organization dedicated to improving the quality of corporate governance, compliance and ethics through the facilitation and maintenance of compliance programs, professional forums for understanding the compliance environment, and providing resources. For more information, visit www.corporatecompliance.org.