Have a Seat; We Just Want to Ask You a Few Questions...
By MT:15 on Jan 04, 2010
The new buzz term is "Governance, Risk, and Compliance." GRC. I think the word "management" is implied. Which of the following topics would you say falls under the GRC umbrella?
• Assuring that all members of a research team have documented, up to date certifications required for a grants project.
• Investigating an insider's unauthorized P-card purchases, and implementing preventative controls for the future.
• Preparing a report to the state legislative committee for higher education, that shows trends of enrollment for 1st generation college attendees.
• Handling statements and evidence for a sensitive whistle blower's case.
• Implementing electronic workflow for approval of new vendor setup and payment thresholds, along with a review of the roles and permission assignments.
• Updating the Continuity of Operations Plan to ensure that all mission-critical information system services can be re-established in an offsite location within 2 days.
• Checking on departmental managers' progress to clear discrepancies from last spring's internal audit.
• Investigating a possible privacy breach of student data, while considering system security improvements that may prevent recurrence.
• Addressing a Board of Regents hearing about repeated incidents of senior faculty and executive administrative staff hiring that were far above established salary ranges, and included unusual perks, as reported in the media. Someone apparently circumvented approval policy.
The answer, of course, is "All of the Above." GRC casts a long shadow. The trend in public sector and higher education seems to be a piling on. One university finance manager said to me recently, "If I hear the word 'transparency' one more time, I am going to lose my cookies." Predictions are that the forthcoming increase in U.S. federal government investment toward education improvement will inevitably bring with it more reporting, audits, and potential for violations or misdeeds. Agency-level grant audits from the Departments of Labor, Education, HHS, Energy and Defense seem certain to increase, on top of traditional NIH and NSF audit activity.
For a preview on the trend for more reporting and compliance tracking, check out ARRA stimulus guidelines, especially Section 1512 Reporting:
Do you have governance over an academic medical center? Then GRC squared.
Oracle Governance, Risk and Compliance (GRC)
Oracle introduced its comprehensive GRC product suite in late 2008. A major new release of Oracle Enterprise GRC, set on the Oracle Fusion Middleware platform, and featuring new Risk Management processes shipped in December 2009. How does the Oracle GRC product set align to Oracle's PeopleSoft ERP/ SIS applications, and other Oracle offerings?
Enterprise Resource Planning (ERP) software has always inherently addressed needs for "Compliance" and "Control." Implementations of ERP, such as PeopleSoft Financials, include movement to paperless, automated workflows where approvals are set up to align with organizational policy and structure. Similarly, ERP setup includes thorough definition of individual roles for privilege to access information. ERP systems also include audit trails for transactions, data entry, and setup control.
A question for readers, no need to take offense: When was the last time your organization did a thorough review of your ERP setup and role definitions?
Another question: If you have updated your administrative or grants-related policies, are they still properly represented in the ERP setup?
GRC software solutions are designed to work with, and surround, ERP/SIS transaction systems. Preventative and detective controls provided by the GRC suite are able to illuminate potential violations of Segregation of Duties (SOD) and other policies. In addition to providing fraud alert, GRC Controls can help with your continuous improvement of policy implementation around data security, approval management, spend thresholds, and effective workflow. Building on this Controls level, Oracle GRC includes risk management, process management, and GRC intelligence components.
The State of Enterprise Risk Management at Colleges and Universities Today
The Association of Governing Boards of Universities and Colleges has published a study on this topic at:
College and university senior executives view GRC as an important area for improvement. This is particularly true of the "Risk" element. A recently published survey drew the following summary conclusions.
"In private industry, boards and chief executives routinely consider risk in strategic planning, but a new survey by the Association of Governing Boards and United Educators reveals that higher education is lagging behind in this important fiduciary responsibility. (A detailed summary of the survey results is available at www.agb.org/research and at www.ue.org.) Key survey findings include:
• Sixty percent of respondents said their institutions do not use comprehensive, strategic risk assessment to identify major risks to mission success.
• Fewer than half of the respondents said they "mostly agree" with the statement, "Board members and senior administrators actively engage in discussions regarding institutional risks."
• Five percent of respondents said their institutions have exemplary practices for management of major risks to mission success.
Fragmented and After-the-Fact > Ongoing, Proactive GRC Process
Oracle GRC solutions have been designed to support compliance and control tasks as part of an established, ongoing process. This is in contrast to the typical higher education institution's reactionary, incident-driven approach to GRC today. Most CFOs and compliance officers admit that they are held hostage to the 1,000 spreadsheets used to track various policy initiatives, oversight mandates, and in-process corrective response to audit findings. Oracle GRC Manager features a special repository and workflow solution that moves your organization into a proactive posture. Objects like policy, protocol, evidence, audit remediation steps, and periodic assessment are securely stored and indexed in GRC Manager. Risk assessment is supported as a repeatable process with metrics. There is also a GRC Intelligence product that can be used to provide managerial dashboards, keeping all levels of management involved in steady, continuous improvement.
Oracle GRC solutions work with any ERP transaction system, as well as Hyperion Financial Management. The goal of the Oracle GRC solution set is to provide "integrated support for enterprise risk management that promotes risk awareness, conducts assessments, simplifies measurement, identifies effective controls and helps organizations remove unnecessary business risk."
Learn more about Oracle GRC and potential benefits for Higher Education institutions in person
Oracle will host a Higher Education "Compliance" seminar on January 26th, at Pace University in New York City. CFOs, VPs of Finance, and VPs in charge of compliance, audit, IT or risk will want to attend this 5-hour informative seminar "Solutions for Implementing the American Recovery and Reinvestment Act in Higher Education."
For more information and to register, visit: