Most GRC solutions include some sort of automated reporting, producing either preconfigured or customizable reports on organizational compliance and risk profiles, performance, and activities. These reports are generally used to understand current or historical performance, based on the data managed within the GRC solution. In their simplest variations, these automated reports replace any number of reports that are generated manually in the absence of GRC. As such, the primary impact of automated report generation features typically stems from the relief granted to compliance and risk staff in producing materials.
However, because GRC is a system of record able to track and maintain historical data as well as relationships between data, the reports generated by GRC can often provider greater sophistication of reporting than what is available through manual data management. Nonetheless, the contributions of automated reporting capabilities still have an upper limit. Reports generated represent static “snapshots” of information that cannot be interrogated, or lack intelligence to assist in interpretation or the identification of trends.
Again, compliance and risk represent Big Data problems involving large volumes, variety, and velocity of data. They are also highly context-sensitive problems that involve confluences of factors, any change in which can alter meaning, consequence, or risk involved. Making sense of the bridging connections across the various data sources involved is a major component of compliance and risk management. Business intelligence (BI) or analytics tools embedded within the GRC platform provide the ability to recognize these relationships, and identify trends and insights in a way that is not provided by basic reports. Core aspects of BI solutions, such as the ability to draw connections across data, roll-up conclusions, or drill down into underlying factors have tremendous impact in helping organizations manage the various constraints, risk tolerances, key risk indicators, and key performance indicators at the heart of compliance and risk operations. A further advantage lies in the combination of “real time” intelligence capabilities that allow the organization to automate oversight and the generation of meaningful reports and alerts as circumstances change, requiring new action or changes in strategy.
This ability to derive connections between data to drive new insights is the core difference between business intelligence and simple reporting capabilities. For example, where an automated report might be used to report the number of open risks projects within an organization and the percentage at a given stage of remediation, a BI solution can permit the organization rank and prioritize incidents based on the potential exposure, consequences on business operations, and other factors set by the organization.
RISK ANALYTICS Most GRC solutions provide for automated reporting. Analytics tools automate the processing of data to draw conclusions, trends, and connections that provide deeper insight into risk and compliance performance and portfolios.
If automated reporting offers value primarily in terms of the efficiency of compliance and risk staff, the ultimate business impact of business intelligence analytics in a GRC environment relates fundamentally to improved insight into risk and compliance. The realized value of BI will depend on the particular application of the technology, but common themes within the compliance and risk management relate to earlier identification of risks and potential incidents, as well as deeper insight into factors contributing to risks and relationships between key risk indicators and key performance indicators. The latter is particularly valuable for its ability to assist organizations in understanding their risk and compliance profiles, as well as strategically plan and prioritize activities based on potential impact for the organization. As such, these tools play a primary role in helping to increase the effectiveness of compliance and risk resources across the organization. Tracing a tangible business case for these solutions should draw from an understanding of the potential costs and consequences of risk events or compliance violations that can be avoided.
Table 3: Business Intelligence Analytics
Visualization of Compliance and Risk Data
Both risk and compliance management can involve large amounts of numerical or unstructured text data. Understanding the scope of change or making comparisons between numerical data can often be difficult for human reviewers. Even for the most numerically savvy, a quick review of simple data outputs often requires a great deal of “cognition” and calculation to make sense of the results. All of this slows the process of reviewing data and works to erode its value to users. This is particularly true for stakeholders who are not familiar with risk management. While many risk managers may be “numbers people” comfortable with risk scoring, Monte Carlo simulations, and other risk measures, the nuances can be lost on non-practitioners.
VISUALIZATION Data visualization uses graphical representation to assist in human review of data. Visualization tools impact both the speed of review and the ability of reviewers to draw conclusions and identify trends.
Data visualization technology is a response to these challenges, offering visual representations of data to speed interpretation and context-insight to assist human review. Visualization tools run the gamut: heat maps, simple line graphs, progress indicators, star charts, scorecards, and more. While the particular modes and presentations of a visualization tool may differ, the underlying purpose is the same: to allow for quick comprehension of data. As such, these tools contribute benefits in the efficiency and effectiveness of risk and compliance staff.
The efficiency impact naturally results from the removal of wasted time interpreting data. Visualization also helps organizations to gain more insight from data by identifying outliers or particularly problematic areas for focus. From this standpoint, visualization in GRC tools improves the effectiveness of compliance and risk management.
Most GRC solutions offer some form of visualization capabilities. Heat maps, bar charts, pie charts, and scorecards are particularly common tools to find within GRC dashboards. The challenge in evaluating these capabilities does not lie in the evaluation of the modes of presentation used as much as their integration with other reporting or analytics capabilities. Visualization tools used in combination with basic reporting capabilities will assist in the comprehension of data, but often serve as static representations.
Figure 4: Example of Basic Risk Heat Map
Figure 5: Example of a Risk Scorecard
When found in combination with analytics and BI capabilities, visualization tools help users to understand and interrogate the complex calculations and relationships in their data. Further, the ability to tailor visualizations to use case-based data needs can further expand on the value a GRC solution contributes across its users.
Table 4: Visualization