Please enter a search term to begin your search.
Simplifying compliance and risk management
How do I get more out of my compliance budget?back to other questions
Disparate Compliance Initiatives
In many organizations, each regulatory compliance initiative is managed by a separate group using distinct processes and tools. Our experience has been that combining such initiatives can reduce overall GRC costs by over 64% due to reduced duplication of effort as well as higher utilization of expert personnel and best practices.
TruComply allows organizations to achieve these savings by providing a common, enterprise-wide data repository. Clients are able to conduct assessments against any number of compliance standards at once or conduct separate assessments for each throughout the year, but utilize TruComply’s data reuse feature to leverage data collected during previous assessments. Data reuse significantly reduces work effort and associated ‘audit fatigue.’
TruArx’ Managed Compliance and Risk Services enable clients to take advantage of TruComply while having Truarx’ team of expert consultants perform all assessment administration activities. By outsourcing assessment activities, clients gain budget certainty by having all compliance activities performed at a fixed price. Given TruArx’ mature compliance and risk management processes, expert personnel, and TruComply toolset, we are generally able to reduce client compliance costs significantly or alternatively, expand the scope of compliance efforts without increasing costs.
Localized Decision-making
Localized compliance initiatives lead to resourcing decisions being made on a regulation-by-regulation basis versus a global basis. Likewise, each group tends to develop its own methodology for evaluating risk and deciding which findings are priorities for remediation.
Such an approach tends to increase costs for three reasons. First, since regulations often have significant overlap, each localized team may pursue different solutions to the same problem, resulting in a more complex, heterogeneous infrastructure to manage than was necessary. Second, since initiatives are evaluated and funded on a localized basis, remediation funds are often spent sub-optimally. After all, the third priority for SOX compliance may be more important than the first priority for PCI DSS compliance, or vice versa. Third, localized initiatives tend to be performed by ad hoc teams who do not employ sound risk management methodologies to prioritize findings. Decisions are made intuitively. Since regulations often involve a wide range of controls from procedural controls to highly specialized technical controls, priorities often are more indicative of the experiences and biases of team members than the real needs of the organization.
TruComply helps organizations make better decisions by providing organizations by centralizing all compliance activity into a single data repository and then applying a common risk management methodology for evaluating findings. TruComply’s sophisticated risk management functionality takes into account factors such as the effectiveness of a control at mitigating risk, the criticality of the scope item based on its confidentiality, integrity, and availability requirements, and the cost and complexity of remediation. As a result, the organization can centralize decision-making and utilize the rich information TruComply provides to make better resourcing decisions.
As part of TruArx’ Managed Compliance and Risk Services, TruArx consultants help the organization establish and maintain an effective governance process. If the organization does not have a designated governance body such as a Steering Committee, the consultant will help identify the right stakeholders, establish a charter, and kick-off the process. Once the governance body is in place, the consultant will leverage TruComply and other compliance data to provide the group with the information necessary to be productive, including facilitation of meetings.
Lack of Automation
The most popular GRC tool today is Microsoft Office and Sharepoint. While such tools can be effective for small scale compliance efforts, they are completely inadequate for dealing with the complexity of enterprise-wide compliance and risk management efforts. Without the proper tools, organizations typically only focus on a small subset of their compliance requirements because assessing a new regulation means spinning up a new team who must start from scratch. Our experience is that even clients with relatively large compliance budgets are actively managing less than 10% of the compliance requirements applicable to their business because scaling their current program is cost prohibitive.
By contrast, TruComply makes it easy to cost-effectively scale compliance efforts. For example, consider a very simple environment composed of two assets, each of which must be assessed independently. Performing a PCI DSS assessment on this environment involves collecting data on 395 controls. Now, the organization wants to consider their obligations under state privacy and breach notification laws. Since they are an e-commerce provider and their customers are in all 50 states, this brings an additional 76 regulations into scope. Absent a tool like TruComply, the organization will probably choose to rely on PCI and hope for the best with regards to state laws. With TruComply, the organization selects the additional standards through the assessment wizard and the assessment scope increases from 395 controls to 633 controls. Thus, for approximately 60% more work, the organization can manage compliance against all 77 standards versus one.