Moving ForwardBy Samuel Greengard | Posted 2011-09-30 Email Print
Governance, risk management and compliance are increasingly woven into all aspects of business, so it’s vital for management to understand the complexities involved in this issue.
Sallie Mae, the world’s leading provider for student planning and loans, is among the organizations that have worked hard to tackle GRC in a comprehensive way. The Fortune 500 company manages more than 10 million student loans valued at $268 billion.
Altogether, about 10,000 employees and contractors handle documents and oversee business processes. Consequently, Sallie Mae must monitor 162 different compliance rules and regulations, including SOX, FISMA (Federal Information Security Management Act), FFIEC (Federal Financial Institutions Examination Council), GLBA (Gramm-Leach-Bliley Act) , PCI DSS and FACTA (Fair and Accurate Credit Transactions Act.)
Building an automated compliance model was critical, says Jerry Archer, chief security officer for Sallie Mae. In the past, the organization stored records in a mélange of systems and files, including spreadsheets that sometimes ballooned to more than 3,000 entries.
Now, Sallie Mae uses SailPoint IdentityIQ to oversee a role-based access management framework. The system provides visibility into user-access privileges and provides complete oversight into identity data. Managers work with a finite set of defined roles rather than an infinite number of individual users. All the information is visible through a dashboard.
The approach has paid significant dividends—particularly as employees have turned to laptops, smartphones, tablets and other mobile tools to exchange data. The system manages VPNs, tokens and other authentication tools. IdentityIQ also allows the company to provide access to social networking sites for authorized employees on an exception basis.
The results have been impressive. While the number of controls rose from 800 to 2,500 during the last two years, Sallie Mae was able to slash overall GRC expenses by 40 percent.
Accenture’s Dyson says that companies and application vendors are increasingly focusing on merging the IT and business sides of GRC. He points out that while authentication, passwords, robust reporting and monitoring, and other controls are an important part of the picture, systems must tie together technology, process controls and risk management. “These are the three cornerstones of effective GRC,” he explains.
Today’s global business environment presents thorny GRC challenges. ZeroPoint’s Ulsch points out that organizations may find themselves dealing with the business practices of contractors and third-party providers, background checks in other countries, foreign corrupt practices and a spate of other issues. The ability to track internal transactions and processes is only one part of the picture. It’s not unusual for GRC to span an entire supply chain.
One company that understands this issue is Tognum America (formerly MTU Detroit Diesel), a manufacturer of engines used in boats, military systems and off-highway equipment. The firm ships products to dozens of countries and must cope with a tangle of regulations and restrictions. This includes U.S. Customs requirements, as well as export controls, sanctions and embargo lists that change on a regular basis. A breach could result in fines or a loss of business, says Christin Gleissner, manager of logistics and customs compliance.
In the past, the company relied on spreadsheets and manual processes to keep track of compliance issues related to incoming and outgoing shipments. “There was much greater risk of human error,” Gleissner says.
Tognum America now relies on SAP BusinessObjects Global Trade Services (GTS) system to automate its GRC processes. This includes checking the latest restriction lists, which sometimes change between the receipt of an order and shipment of that order.
But the challenges don’t stop there. Orders stream in via a number of networks and systems. In some cases, customers call the company directly. In other instances, distributors enter orders, or employees place an order from a computer located in the office or from a mobile device in the field.
The GTS system tracks all the orders and provides a real-time view of any issues or problems. “It makes it easy to ensure that we’re achieving the highest level of compliance,” Gleissner says.
In fact, since turning to the GTS system, Tognum America has boosted compliance ratings by more than 15 percent to the current level of more than 95 percent. It also has achieved the added benefit of reducing invoicing discrepancies by 80 percent.