I recently participated in an online discussion on this topic and thought it might be useful to have this debate in the ILN.
My initial thoughts were that the automation of controls and embedding of risk analysis and monitoring into automated processes are going to be the key indicators of 'GRC maturity.' This is what I would consider 'mature' use of the SAP GRC tools anyway.
To demonstrate real maturity in their approach to GRC I would also suggest that a company would need to be able to prove that their automated controls are operating effectively and that an appropriate Governance model is in place to sustain this.
Thinking less about technology and considering GRC in the broader context I would suggest that the indicators of those companies operating a mature GRC programme might be:
- A centralised set of risk and controls supported by application standards that implement this framework.
- Categorisation of R&C according to the compliance frameworks they support (e.g. SOx, Data Privacy, etc...)
- A defined Governance model that allocates responsibility for continuous improvement of the R&C framework and enforces effective compliance reporting.
- Controls that have been well documented with owners, frequency and sufficient detail to allow testing.
- Processes and tools to ensure continuous controls monitoring (CCM).
- A consistently applied categorisation of risk across the organisation.
- A centralised repository for controls testing to avoid duplicated testing and promote efficiency.
What are other people's thoughts on this question?