Abstract
Effective Governance, Risk, and Compliance Management (GRC) software tools and software services need standards – for reasons of technical interoperability as well as reviewing, reporting, and auditing purposes. This chapter introduces an emerging standard for GRC metadata and metadata exchange, GRC-XML, on the background of standard frameworks for IT governance and risk management. This specification is then further analyzed with regard to its integration capabilities into the Object Management Group’s GRC related standards covering business motivation, management of regulation and compliance, business vocabularies, policies, and rules. Finally, the authors discuss in more detail the challenges to business rules applications and automated inferencing when governance, risk, and compliance issues need to be verified in practice.
TopIntroduction
Governance, Risk and Compliance Management (GRC) is a topic of increasing importance to enterprise software and electronic business technologies. Due to the ever-increasing number and complexity of regulations in all areas of e-business, even basic business interactions need to be engineered for GRC. Appropriate Governance, Risk and Compliance Management needs to be rooted in the overall management of an organization.
With the Open Compliance and Ethics Group (OCEG), a global standardization organization has been formed to define a generic GRC capability model. The industry and public administration member base of OCEG covers key players in many industries, comprising leading global GRC consultancies and software vendors. The OCEG GRC capability model defines key process / management components and outcome areas. Components are further subdivided into elements specifying a key process area for the component together with principles, common sources of failure and recommended practices. Practices are again detailed by key deliverables and enabling technologies. OCEG provides the GRC capability model as a structured document (Mitchell & Switzer, 2009b) and as an assessment data template that provides a framework for specific GRC maturity assessments for OCEG member or customer organizations (Mitchell & Switzer, 2009a).
For governance, the continuous auditing methods and continuous monitoring environments require enterprise software and e-business applications to supply a continuous stream of relevant data as well as control interfaces that allow for agile adaptation and reconfiguration of e-business services. Analogously, risk management in a continuous monitoring environment requires the availability of loss event data on a short-term basis for fast re-estimations and real-time assessments of risks. In financial services, the typical re-estimation period for loans has changed from 1 month to 1 day, which implies the need for massively parallel computations and appropriate infrastructures (Prätzas & Deutsche Bank Finance IT – dbArtos Team, 2010).
The biggest impact of GRC related business transformations, however, can be seen in compliance management. As an example, take the Basel II / Basel III regulations on capital adequacy in the finance sector (Basel Committee on Banking Supervision, 2006). These regulations are set up in a sufficiently general form to allow covering a wide variety of banking services, solutions and regional or national specific conditions. This leaves individual banking services providers with the task to interpret regulatory requirements and define appropriate measurement and control systems that demonstrably guarantee implementation of regulatory compliance. In the Basel II / III framework, for instance, banks can qualify for a certification allowing them to report on the basis of internal measurements (advanced internal measurements approach AIM) instead of being assessed by external evaluators. Therefore, business regulations are not simply collections of business policies or business rules that need to be acted on by an individual business. Instead, these regulations require transformation to and re-definition within the specific business context and demonstrable implementation of the resulting business policies and business rules.
Key Terms in this Chapter
Taxonomy: A definitional hierarchy of concepts. Traditional taxonomies are tree-structured (a concept is assumed to have exactly one superconcept and multiple subconcepts). The higher a concept is positioned in the definitional hierarchy, the more individuals it describes (the comprehension of the concept), but the less definitional properties are needed (the meaning of a concept). Modern taxonomies are often poly-hierarchical, these are also called facetted taxonomies.
Governance: all organizational structures, technical infrastructures and processes an organization uses to guide, monitor, control and audit its operations on strategic and operational levels. In our paper mostly equivalent to corporate governance.
Business Rule: In general, If-Then statements with machine processable clauses related to an organization’s processes or infrastructures. For distinctions of types, see paper text. In business process management, business rules act as complex decision gateways and are processed by a dedicated software module, the business rules engine.
Risk: The possibility of an event impacting an organization’s objectives. Usually considered to be composed of the probability combined with the severity or impact of loss events. Mathematically, a risk index can be represented as a convolution integral over the event probability distribution of the impact distribution. In practical approaches, events are often categorized according to causes and business areas and risk scores are estimated on several levels of detail.
Ontology: In semantic web and related technologies, an ontology (aka domain ontology) is a set of taxonomies together with typed relationships connecting concepts from the taxonomies and, possibly, sets of integrity rules and constraints defining classes and relationships. Ontologies are defined abstractly using predicate logic or a suitable subset (e.g., description logic). The concrete syntax for ontologies is often based on web publication and search requirements, at the time of this publication, the web ontology language OWL (see chapter references above) is the most frequently used language as it builds on the web resource description framework that is used in many web content management and content syndication standards.
Regulatory Compliance: corporate governance related structures or procedures in an enterprise or organization for ensuring adequate implementation of legal or standards based directives to business operations and infrastructures.
Enterprise Risk Management: corporate governance related structures or procedures in an enterprise or organization for dealing with risk. In the well known standard provided by the Committee of the Sponsoring Organizations of the Treadway Commission (COSO), risk management comprises eight components, environment identification, objective setting, event identification, risk assessment, risk response, control activities, information and communication, monitoring.