Taming the Compliance Beast

SUMMARY: RadiSys faces complex challenges related to governance, risk and compliance, especially as it relates to compliance with the Sarbanes-Oxley Act. Compliance Manager Michael Higgins explains how the company implemented a flexible GRC solution to meet these challenges and address new ones as the Hillsboro, Ore.-based company evolves.

As a rapidly growing and evolving organization, RadiSys faced the challenge of managing the cost of the resources needed to meet governance, risk and compliance goals and commitments. While many organizations attempt to maintain a small GRC team and rely on spreadsheets and manual processes, we took a different approach.

When I came to RadiSys in 2006, the company had already contracted with Protiviti, a business consulting and internal audit firm, to support its year-one SOX efforts. It was also using the Protiviti Governance Portal to manage control documentation and testing, and as a data repository for flow charts, narratives, risk control matrices, control objectives, mitigation controls and more.

We now use this portal for all our offices in the United States and Canada, as well as for our finance headquarters in Europe and our offices in Malaysia and China.

I soon started looking for ways to leverage the Governance Portal to help with other processes. For example, I learned of the company’s interest in outsourcing statutory documentation as a repository solution. So I created, tested and demonstrated a new layer within the portal that would allow RadiSys groups worldwide to upload their documentation. It was a successful solution, and the organization saved $50,000.

Over the past couple of years, quarterly subcertifications have become increasingly important to us, and we have significantly increased the number of them. Our old manual process was sufficient when the number of surveys was small, but eventually there were more than a hundred surveys sent to finance, sales, order fulfillment and the executive team, so we needed to automate.

Initially, we tried to automate the process in SharePoint, but it required a significant learning curve. In addition, it didn’t provide sufficient visibility into our relevant activities, or produce easy-to-access data for our outside auditors to review.

We found that Protiviti’s Assessment Management module did provide the survey engine needed to support our 302 certification process. Implementing this module was straightforward and streamlined the survey process considerably. In addition, we were able to formalize our quarterly control self-assessments.

As with the 302 certification process, surveys are deployed globally to all control owners, requesting them to certify the status of their controls. The Governance Portal enables control owners to assess the situation by uploading supporting documentation. Depending on the type of response provided, we can create automated action plans to facilitate the remediation of control issues.

We have now deployed our first round of assessments globally using the module, and the results have been positive. Users find it easy to navigate, and it facilitates the production of accurate assessments.

In addition, I can use the reporting feature to view the assessments that require follow-up and to provide executive managers with the information they need. We use Business Objects’ Crystal Reports to support graphical reporting. Updates to documentation and controls can be addressed immediately rather than annually.