In federal agencies and beyond, the risk landscape is shifting. With new regulations, looming mandates, evolving technology, changing operations, and other emerging challenges, organizations are navigating significantly more complexity. As systems become more complex, risks increase. The US Office of Management and Budget (OMB) Circulars A-123 and A-11 underscore the urgency for agencies to implement enterprise risk management (ERM) programs. The need for an advanced approach to risk management is greater than ever.
As the risk environment evolves, the tools agencies use to monitor and evaluate risks must also evolve. All too often, however, the custom government-developed tools federal agencies use have not kept pace with the changing world. While government off-the-shelf (GOTS) governance, risk, and compliance (GRC) tools provide agencies the opportunity to design new solutions without having to reengineer their business processes, the time to develop and deploy those solutions and subsequent enhancements of functionality remains lengthy. Continuing to invest in existing GOTS GRC tools also presents a likelihood of solution defects, which often require lengthy troubleshooting. Meanwhile, agencies must rely on a cadre of developers to make functionality changes and operate and maintain GOTS GRC tools, which can be costly. For agencies with simple risk profiles and needs, this may not present a barrier to success. Others may rightly suspect there’s a better solution.
The traditional view of risk management is focused largely on compliance. That’s no longer sufficient. Today, ERM is defined as “the culture, capabilities, and practices, integrated with strategy-setting and its performance, that organizations rely on to manage risk in creating, preserving, and realizing value.”2 Utilizing a commercial off-the-shelf (COTS) GRC platform best suited to an agency’s needs and risk profile is key to maximizing the capabilities driving ERM. The return on investment for COTS GRC solutions should also be considered by agencies, as these tools offer a suite of modules that may be used to support other programs besides ERM. As the risk environment evolves, the tools agencies use to monitor and evaluate risks must also evolve.
GOTS GRC Pain Points
Many federal agencies are currently leveraging a legacy GOTS GRC tool. However, these GOTS tools typically can support only one or two use cases, and correlating data between them is challenging, as is segregating data and user access by organizational unit and providing advanced reporting. Also, many GOTS GRC tools have complex user interfaces, and functionality limitations often leave users having to export and manipulate data and route it through the organization via email to support reviews and/or reporting.
Lack of Insight Across Multiple GRC Programs
A large agency of the federal government has experienced challenges with its internal control program not identifying IT control deficiencies within the Risk Management Framework (RMF) program used for its financial management systems. A recent study on RMF IT controls assessed 503 IT controls within financial management systems across the agency. In 63% of those controls tested, internal security control assessors found the controls to be compliant, but external auditors found them deficient. The implication is clear and troubling: Authorizing officials may not have an accurate risk picture when they accredit systems and connect them to the agency network.
COTS GRC Tool Advantages
In today’s environment, some of the inconvenient pain points associated with GOTS-based GRC tools have become barriers to success. Agencies struggling with these barriers may want to consider COTS GRC solutions. Each of the many available COTS GRC tools has its own unique features, and these platforms offer some shared advantages:
- Out-of-box functionality supports multiple GRC use cases with workflow that supports multiple layers of reviews and approvals. These tools can define multiple user roles that reflect business processes and segregation of duties, and offer advanced reporting functionality that supports real-time reporting, including dashboards that drill down into individual records.
- The time from deployment to production is short
- Standard application programming interfaces support integration with other systems and vendor-supported extensions that possess out-of-box functionality
- COTS GRC software vendors continuously reinvest in new and enhanced functionality
- Governance features enable board-level reporting and collaboration
- Risk management features include risk management/integrated risk management (IRM), cybersecurity/IT (Federal Information Security Modernization Act and National Institute of Standards and Technology), operational risk management, reporting and collaboration, and RMF support
- Audit management features offer A-123 support, audit planning, execution, issue management, and reporting to ensure management and board-level transparency
- Environmental, social, and governance features include data collection and management, carbon-emission tracking and reporting, and management and regulatory reporting
- Compliance capabilities include policy warehousing, training, issue management, and regulatory management
The right COTS GRC tool for an agency will depend on the needs of the agency and the environment in which it operates. Forrester has rated Workiva, OneTrust, and ServiceNow as market leaders in an assessment of 15 commercially available GRC platforms. Diligent and MetricStream ranked close behind—top among their category of “strong performers.”
An agency’s IRM implementation strategy can be a determining factor in its selection of a COTS GRC platform. According to a Gartner analysis,4 an agency that has relatively siloed needs, such as having a single compliance mandate with low-risk maturity, might be best suited to tools such as Aravo or CLDigital. For agencies with a more complex risk profile, moderate risk maturity, and multiple programs, Gartner recommends platforms like LogicManager and OneTrust. Highly regulated agencies with highly complex risk profiles and high-risk maturity might be best served by options such as Diligent and ServiceNow, according to the analysis.
Given the unique needs and risk profiles of each agency, executives should have a deep understanding of their organization’s risk management requirements before determining which COTS GRC platform could provide the most value.
How Guidehouse Can Help
Guidehouse approaches ERM with the view that risk is a critical element in agencies’ ability to achieve their mission and strategic priorities. ERM is, therefore, an integral part of strategy development, execution, and performance management. Guidehouse employs two primary authors of the 2017 COSO ERM Framework, the most widely adopted ERM framework among respondents to the 2021 Federal Enterprise Risk Management Survey. Leveraging the appropriate COTS GRC platform should not be a back-office compliance program but a mission-critical decision.
A decision of such importance should rely on risk management experts who also understand the holistic needs and environment of a government agency. Guidehouse has been helping federal agencies design, develop, and grow ERM programs for more than a decade. Our organization is a leader in public sector consultation and our staff has extensive federal government experience. Guidehouse understands the unique risks involved in federal government processes because many of our consultants have worked within and for federal agencies.
Guidehouse COTS GRC Capabilities Include:
- Performing an Analysis of Alternatives (AoA) to understand the advantages and disadvantages of various COTS GRC tools for each unique agency
- Evaluating existing agency-owned tools
- Conducting pilot or proof of concept on AoA and providing tangible data to help with tool selection
- Assisting with tool selection based on the requirements and profile of the agency
- Developing a business requirements analysis and conducting a gap assessment
- Leveraging Agile concepts for solution implementation
- Delivering user training and supporting organizational change management to foster adoption of the new GRC tool
Retooling for the Future
As a leader in ERM and COTS GRC tools, Guidehouse offers specialized expertise to federal agencies to implement or improve ERM programs and implement COTS GRC tools.
As federal agencies work to evolve their risk management practices and tools to meet the changing risk environment, they should consider whether their existing GRC platform offers the functionality to keep pace with their business needs. Continuing to invest in existing GOTS tools may be sufficient for some agencies. The more complex the agency, however, the higher the potential for better outcomes with a COTS tool. To determine the best path, agencies should invest in a thorough evaluation of their risk management needs and the available COTS GRC tools. With the right solution, agencies can maximize their ERM capabilities and be prepared for a changing world.
Guidehouse COTS GRC Success Stories
Some examples of our projects assisting federal agencies with GRC tools include the following:
- Implemented a large federal agency’s RSA Archer GRC tool supporting OMB A-123 and external audit management programs at 40-plus component agencies and staff offices
- Implemented a large federal agency’s RiskVision GRC tool supporting the information assurance program for more than 200 classified and unclassified information systems
- Implemented a large federal agency’s SAP GRC tool supporting segregation of duties in user-access design and provisioning and high-risk application configurations and transactions
- ServiceNow implementations with multiple federal agency and commercial clients