IncQ Consulting recently had our leadership conference on the beautiful Island of Phuket, Thailand.  Apart from wanting to make you jealous, I would like to share with you two slides from the presentation that was given to the IncQ Consulting Practice Leaders on Governance, Risk, and Compliance and then make some comments on it relating to the recent Walmart incident.

The first slide shows the historical drivers for significant market capitalization decline, categorized broadly into strategic, operational, legal and compliance, and financial risks.

The second slide represents some results of a survey conducted by KPMG.

A caveat on the market capitalization decline drivers: To keep the chart readable, a fundamental piece of data is missing – the interrelationship between the risk drivers and the risks. In the interest of trying to keep this blog short, I’ve drawn up some examples of how risk drivers and risks may be interrelated and therefore increase the likelihood of other drivers and risks. It can lead to what is called the Domino Effect and, if uncontrolled, will often lead to multiple catastrophic failures for the organization.

For simplicity, I’ve left out multiple impacts in different impact categories that are exacerbated by multiple risks, but let’s just say that I’m painting a very rosy picture of the domino-effect here.

Take the recent Walmart incident as an example of a simple domino effect.

http://www.nytimes.com/2012/04/25/business/wal-mart-says-it-is-tightening-internal-controls.html

A breakdown or absence of certain key internal controls, led to bribery (and also breach of compliance), which led to reputational fallout, which led to share price drops of around 12 percent on Monday, and a further 4 percent on Tuesday.  It also resulted in fallout with the main Walmart parent company, which trades separately to Walmart Mexico, with drops of 5 percent on Monday and 3 percent on Tuesday.

Linking this back to the KPMG survey results, we see the not too surprising business complexity, reducing risk exposure and improving performance as top-3 drivers for GRC convergence.

The interesting figure that I will focus on for this blog is the 4th driver.  This driver is the first driver that the CEO has actually singled-out as an explicit risk type ie, the most important risk to be best managed by GRC convergence is reputational risk.  This is risk-intuitive thinking.  Reputational fallout tends to be at the end of the domino effect and often affects share price.  Therefore, if we converge our Governance, Risk and Compliance frameworks and processes, and have a holistic, integrated, and coordinated approach to managing risks and domino effects, then we will avoid these reputational fallouts such as the recent Walmart incident.  That is because analysing reputational risk will show multiple other risks pointing to it, with multiple drivers, allowing us to more accurately focus our key controls.  Some of these controls won’t even directly relate to reputational risk.  We’re managing reputational risk, via indirectly controlling related risks.

Conversely, you simply can’t manage reputational risk in a silo. There’s no “preventative control” for reputational risk, only the efforts required to recover from reputational fallout.

Managing interrelationships between drivers and risks seems a little more difficult than managing risks in isolation, but there are two strong reasons to manage interrelationships between drivers and risks:

1. Companies don’t usually collapse or have significant market capital decline due to a single risk. Only when multiple risks hit all at once and the organization is not prepared for them do we see collapses of this nature.  Multiple risks hit all at once mostly because of the domino effect rather than just bad luck.  The domino effect therefore is the biggest risk (impact) a company can face.
2. It is impossible to make a judgement call on the appropriate level of control on any risks if we don’t understand the interdependencies and interrelationships with other drivers and risks.

As an example, a risk manager identifies a risk with a moderate likelihood and moderate impact.  Moderate control prioritization is made accordingly, based on the management of this risk in a silo.  A converged GRC process however would have identified the fact that this risk may significantly increase the likelihood of multiple, related, catastrophic risks.  The prioritization on this control should actually be very high.  Moderate control and monitoring of this risk is unduly exposing your organization to multiple catastrophic risks.

Mapping out the inter-relationships between risks and drivers by GRC Convergence.

How not to do it.

You don’t do it by listing your risks on a spreadsheet.  That would be the most granular silo there can possibly be (silo by risk).  I’ve yet to see anyone compile an accurate or even meaningful picture of their risks using a spreadsheet, and I’ve seen some amazingly complex spreadsheets.  I’ve had the following discussion with many Risk Managers telling me that their spreadsheet is sufficient technology for their $100m+ organization:

“If this driver happens, what will the impact most likely be?” asks Justin, pointing to line 250 on the spreadsheet as an example.

The Risk Manager proceeds to read out the risk description of line 250.

“So, the other 500 risks on your spreadsheet are all completely unaffected by this?” asks Justin.

Of course, they know that the answer to my last question is “no” or “I don’t know”.  The reality is, there is a more complicated impact than what they told me and the impact magnitude may be significantly higher than what they rated based on the fact that we now have multiple risk impacts all happening at once.  It’s much too difficult to comprehend this using a list of risks on a spreadsheet, but we must understand this if we are to protect our organization from the biggest, most catastrophic domino-effects.

How to do it.

It’s actually very simple if you use decent Risk Management technology.  You need good people, good process, and good technology, in balance.  I’ve seen the best people, with the best risk management frameworks and processes, using Excel lists, and it’s significantly holding them and their organization back.  It’s like turning up to a Formula One race in a horse and cart.  Even with the best race driver in the world, it’s still not the best holistic solution to meet objectives!

Risk Management technology should be able to answer the following 5 questions within a few seconds:

1. Can we easily see and analyse interrelated drivers and risks?
2. Can we calculate the expected impact of all of the interrelated risks for any specified risk driver?
3. Can we see where the real weaknesses are and appropriately prioritise controls on the risks that may not be damaging in isolation, but can trigger other catastrophic risks?
4. What are our real top 10 risks and their drivers, and how are we monitoring them (including their interrelated risks)?
5. Where should the CEO be placing focus to protect the organisation?

The more relevant the question to the organization, the less accurate the answer will be when using a spreadsheet. Spreadsheets are only ok at answering questions that aren’t really all that helpful to the CEO. A CEO is not interested in a spreadsheet of 500 or 1000 risks, as the CEO is typically working in magnitudes far greater than each of these risks alone and it’s just too much for him or her to become familiar with, and to do something about.

The CEO is interested however, in ensuring the biggest risk to the organization is appropriately managed. The only way to do this, is to properly identify interrelationship and the domino effect.

But Risk Management technology is expensive!

Only if you ignore the cost of not having Risk Management technology. 

Action points

I would like you to do the following (assuming you’re not up to your eyeballs trying to continuously update spreadsheets with risks):

• Look at your risk management technology and ask yourself those questions that I posted above.  Can you easily answer them?  Any decent risk management technology should have each of those questions answered by a simple report or dashboard.
• If you’re using Excel spreadsheet lists, try to map the relationships between the risks and drivers and each other.
• If you manage to do this, then contact me ASAP as you’ve just done something that I’ve never seen before and I would be thrilled to see it! 
• If you can’t do this, then contact me to talk seriously about some technology that will support you.  If not me, contact some other trusted risk management advisor (I assume you don’t have one if you’re still using spreadsheets).

There is so much decent Risk Management technology available at the moment for different industries, different organizational sizes and different price-points, you would be doing yourself and your organization a huge disservice if you weren’t to seriously consider talking to someone about it.

 

 

I live in a country where I see everyday people trying to influence their luck.  From burning incense and praying to numerous different gods, to burning paper representations of gifts to their ancestors, and hanging little trinkets from their rear-view mirrors in their car.  This is a foreign, albeit really interesting concept to me.  I wish them all the success they are praying for, but this approach isn’t for me.  My approach to influencing luck doesn’t look anything like this.  My approach is world recognised, is completely non-spiritual, is business-centric, and has been proven to work across all industries in many countries around the world.

This blog is to provide some practical measures to ensure your business has ‘luck on its side’.  

An old saying goes “Success takes 10% high-intelligence, 50% hard-work, and 40% good luck”.  Hard-work is drilled into us from when we first attend school or sometimes earlier.  The realities of high-intelligence becomes apparent to everyone somewhere along the line.  But what about good luck?  I’ve heard three schools of thought on good luck:

1. It is just something that happens or doesn’t happen and there is absolutely nothing we can do about it.  So, let’s forget it’s there.
2. Always think positively, because positive thoughts attract good luck.
3. You can proactively influence and leverage from good luck.

School of thought number 1 is basically saying that the 40% contribution of luck to success is completely out of our hands.  We brute-force our way to success with the shackles of whatever bad-luck comes our way.  This is not useful to us at all.

School of thought number 2 is somewhat useful.  You can read about this school of thought on numerous other blogs I’m sure, and self help books called ‘The Power of Positive Thinking’ or something similar.  I give it some merit in that someone who gives up after striking bad luck will more often than not be worse off than someone who maintains a positive attitude and tries to fix things.  In a way, this is part of managing luck, but is only a fraction of school of thought 3.

School of thought 3 is what this blog is focussing on.  Real influence over luck.  Mitigate the fallout from bad-luck, and grow the positive of good-luck.

Proactively Manage Luck

It doesn’t matter if your organization is small with only 10 people or large with 100,000 people.  With luck contributing 40% towards your success, it is definitely something worth managing now.

This flow chart below gives you a preview of a pro-active, world recognised best practice process for managing luck.

This may seem familiar to some of you.  I have taken part of a process from best practice, ISO31000 and replaced the work ‘risk’ with ‘luck’.  Why?  Because risk is luck and luck is risk.  Risk is the possibility of something occurring that influences your ability to achieve your objectives.  It can be good.  It can be bad.  Somewhere along the way however, people started seeing risk management as only focussing on the negatives.  Somewhere along the way people starting seeing risk management as a huge overhead and something not worth managing.  I’ve used the term ‘luck’ here as an opportunity to review Risk Management free from the preconceived ideas, and re-evaluate it from a fresh point of view. 

The reality of risk management is that it is one of the largest contributors to business success.  Even if it were a large overhead, it is still something that all organizations should be doing.  I’ve heard counter arguments that ‘good executive decisions’ are the largest contributor to business success and I agree to a certain extent with the following clarification – decisions can only be good when the risks (both positive and negative) are well understood.

The second reality is that risk management is in fact NOT a large overhead.  It is something that we are all doing already.  Without a consistent organizational framework, without appropriate governance, supported by an optimized system of people, process, and technology however, your risk management system is not working as well as it should be.  You’re not as successful as you could be and your risk management systems have a larger overhead than need be.

The third reality is that effective risk management that truly contributes to business success is so seldom implemented in an organization that it is in fact a differentiator amongst competition.  It separates the organizations that seem to succeed or fail depending on the general ‘flavour’ of the world economy versus organizations that thrive no matter what is going on around them.

Principles of Risk Management

Looking at the principles of Risk Management according to ISO31000, we can see that in fact the concept of risk management has always been to contribute to business success.  There’s nothing in there that indicate that it is only negative risks or that it will take a lot of time and/or cost a lot of money.

If you’re not familiar with the ISO31000 principles, or just haven’t read them for a while, please take your time reading the principles below and challenge your pre-conceived ideas of risk management.  I’ve read them many times, and every time I do, I still have an ‘ah ha’ moment!

a) Creates value
b) Integral part of the organizational processes
c) Part of decision making
d) Explicitly addresses uncertainty
e) Systematic, structured and timely
f) Based on the best available information
g) Tailored
h) Takes human and cultural factors into account
i) Transparent and inclusive
j) Dynamic, iterative and responsive to change
k) Facilitates continual improvement and enhancement of the organization

Next Steps

Not convinced yet?  Fair enough.  There are a lot of concepts out there claiming to be the number one contributor to success.  So, I leave you with an opportunity (being a popular term for positive-risk).  Contact me for a free Value Lifecycle Management service relating to Enterprise Risk Management.  We will have a Senior Advisor visit you for a week to understand your objectives, your people, structures, cultures, processes, and analyse your enterprise’s current state.  The deliverable of the service is a future state solution that meets your requirements and will help you achieve your objectives, a roadmap to get from your current state to future state, and business case including costings and benefits, all tailored to your organization.  We include all figures provided by you and used, all calculations and algorithms, and case-studies.  The future state will explicitly address any concerns you may have about resistance to change, complexity of implementing a future state, and other organizational priorities that you may have.  We will present our business case to you and to any other stakeholders in your organization that you feel appropriate.

Of course, this is an obligation-free and cost-free service to you.

Back in 2002 the Sarbanes Oxley Act was enacted as a response to the shock collapse of Enron and as a result, a sudden awareness that there aren’t really enough legal controls on accurate financial reporting for shareholders.  I say ‘shock’ collapse, as none of their shareholders had any idea that the company was in trouble, and in fact, not even their external auditors, Arthur Anderson, who collapsed shortly afterwards due to unrecoverable reputational fallout, had any idea that the company was in trouble.  There were other organizations also involved in corporate and accounting scandals around the same time as Enron, such as Adelphia, Peregrine Systems, Tyco International, and WorldCom.  Simply speaking, Sarbanes Oxley Act of 2002 was enacted as a way to legally enforce minimum standards to ensure the financial statements are reasonably accurate for companies that publically trade in the US stock markets.  Key sections of the Act include:

• 302: Disclosure controls
• 303: Improper influence on conduct of audits
• 401: Disclosures in periodic reports
• 404: Assessment of internal controls relating to the compilation of financial statements
• 802: Criminal penalties for influencing US Agency investigation
• 906: Criminal penalties for CEO/CFO financial statement certification
• 1107: Criminal penalties for retaliation against whilste blowers 

In concept, I think this Act is absolutely necessary.  Shareholders have a right to know what they’re buying.  There is some criticism about the cost of compliance with the Act.  I personally find these criticisms shocking.  All companies with shareholders should be complying with these basic principles anyway!  The Act simply asks you to prove it.  The cost should be relatively insignificant, and considered part of the cost of public trading, much like food manufacturers accept the fact that a nutritional breakdown of their food is supplied to their buyers – it is necessary information for the potential buyer.  Companies that say it’s very expensive clearly didn’t have any of these controls in place and if I were a shareholder of one of these companies, I would be very very unhappy.

I noticed an interesting side-effect to the introduction of the Act over the years.  A large number of companies that I have had discussions with, who probably had nothing in place before Sarbanes Oxley, thought that it might be a good idea to kill two birds with one stone and use the Act to guide a new Enterprise Risk Management capability in their organization.  Some of them had no Risk Management capability in their organization previously (again, shocking), or if they did, it wasn’t as mature as what the Act required of them, so they took a major direction change with their existing Risk Management capability, and based it all on Sarbanes Oxley principles.

The trouble with this decision is that Sarbanes Oxley has nothing to do with managing your enterprise risks.  It is about telling shareholders the state of the organization so that they can make educated decisions on what price to buy/sell the shares.  Risk Management is about understanding probability and impacts of events to exploit or reduce/manage to improve the performance of the organization and to reduce the damage caused by negative events.   Sarbanes Oxley doesn’t care if your organization thrives or collapses and does nothing to influence business success.  Sure, there is an overlap, but a small overlap.  There are some events that could cause a material misstatement to the financial statements AND damage the organization.  But there are many events that could cause material misstatement to the financial statements (Sarbanes Oxley), but not really a lot of damage to the organization (Enterprise Risk Management), and even more the converse – there are a lot of events that may cause significant and unrecoverable damage to the organization (Enterprise Risk Management), but not cause a material misstatement to the financial statements at all (Sarbanes Oxley).  Ironically, Arthur Anderson, the external auditors whose failures triggered the development of the Act, collapsed due to a risk event that had nothing to do with the accuracy of their financial statements.

So, does this mean that basing an Enterprise Risk Management function on Sarbanes Oxley is not ideal, but is better than nothing?  I.e., some risks will be detected, but not all?  My answer is NO.  Basing an Enterprise Risk Management function on Sarbanes Oxley is worse than nothing, in my opinion.  I’ve seen some organizations with Sarbanes Oxley-based Enterprise Risk Management functions be over-confident in their ability to manage their risks.  They made decisions based on this over-confidence, and now some of these organizations no longer exist.  Some of these organizations were not able to analyse and respond to the impacts of the Global Financial Crisis on time, because their risk assessments were always made in context of financial statement accuracy.

I am currently working with a large mining organization, and they have it right.  We are working on bringing together their Governance, Risk (Enterprise Risk Management), and Compliance (eg, Sarbanes Oxley) functions with a holistic system of people, process, and technology.  We are identifying their risks that have a potential inherent material impact on their organization (Enterprise Risk Management) including financial, reputational, and health and safety risk impacts, and we’re identifying risks that have a potential material impact on the accuracy of their financial statements (Sarbanes Oxley), amongst other risks of course.  We’re integrating what is otherwise a very good, yet silo’d approach to their risk management and compliance.  We can test a control that relates to material risk and Sarbanes Oxley once, and it flows up to their Enterprise Risk Management reporting and their Sarbanes Oxley compliance.  The expected value to their organization is huge.  More value than almost anything else they can do right now.

If you think that your organization is using Sarbanes Oxley compliance to drive Enterprise Risk Management, please contact me or anyone else at IncQ Consulting or your Risk Management trusted advisor for help as soon as possible!  You really need to start focusing on the risks to your business, not just your risks to your financial reporting.  Time, is not on the side of organizations with Sarbanes Oxley-based Risk Management unfortunately, and nothing is too big to fail.

3 Dimensions you need to look at integrating your SAP system

In our latest SAP Insider special report we talked about integrating SAP systems transforming your boardroom. We described how the interaction between the CFO, CRO and CEO can be supported to unlock predictive insights and come to better decisions. This is possible only by using common SAP tools that are integrated in a way they were designed to be used. We explicitly explained how your strategy management (SSM), business planning and consolidation (BPC) and risk management (RM / GRC) system can work together flawlessly so the decision makers can make use of the information without having to deal with a complex system landscape. Link to SAP Insider article.

Integration in this scenario is not just a technical word. In fact to overcome silo-ed, modular system usage and make information accessible intuitively to executives three things have to be taken into consideration – the strategy and process, the system landscape itself and the data.

3 Success Factors when integrating your strategy, planning and risk management system 

1. Holistic and overall approach of decision relevant processes

   one of the biggest success factors is actually the company strategy itself and the processes related to it. What are our strategic targets? What processes need to be in place to get us there? Who is going to drive it? This sounds simple but is one of the major factors for non-success.

   Transferring this to the processes to be integrated, it is crucial to approach every process holistically on the one hand side and get an overall view across the processes on the other hand side.

   For example to get a holistic view on the risk on an initiative you should not only concentrate on the risk appetite of the organization and put measures and controls in place to manage the risk appetite but at the same time use the risk management process to look at the upside of the initiative to maximize the impact and likelihood of the opportunity.

   One example to achieve an overall view across Strategy Management and the Planning, Forecasting and Budgeting process is to manage the same initiative in both processes. Strategy Management enables you to develop an integrated set of choices. This strategy should then be translated in the Planning, Forecasting and Budgeting process into annual target-settings, revenue projection and budget development.

2. Integration and Performance – the two drivers for the system architecture

   When talking about a typical BI system landscape it would include source systems (SAP and non-SAP), SAP BPC, SAP GRC, SAP BOBJ and eventually Predictive Analysis (Infinite Inside). A lot of organizations have a selection or all of these in their BI system landscape already but are using them silo-ed and modular.

   To go the last mile and have a “real” integration of the single systems you already have in place you should consider two success factors – Integration and Performance.

From the integration prospective SAP manages the matter in general by using BI (BW) to interconnect information between different systems. For SSM, BPC and GRC a direct integration is possible, which allows you for example to create initiatives within SSM that directly align with line items in BPC and pull budget and actual spend.
From the performance prospective HANA is one solution that supports data processing for decisions instantly. Additionally the response time should always be a driver when data modeling or building reports.

All this sounds simple but when doing so you need to create interconnections that reflect the processes – e.g. projections integrated and based on historical data, integration with different level of risks, mapping all these information eventually into a dashboard. All this needs a deep understanding of technology and business process at the same time. You need specific knowledge on single systems and processes in the landscape, at the same time it is crucial to understand the system integration of the single systems and how it affects the response time.

3. The foundation of any decision supporting system – Data Management Strategy and Master Data Approach

   Strategy, process and systems are very crucial for the integration success, but even having the best system integration, design and performance but not having correct data in your results would make a project fail. So the third crucial dimension is the data quality, the master data approach and the data management strategy.

   Especially when integrating multiple system “one version of the truth” is the foundation of the integration. This includes clear defined KPIs, data mapping rules depending on the variety of source systems and data consolidation with clear defined consolidation rules.

   Again, this does not only refer to the technical master data definition like using the same code length but especially refers to the data business meaning which can be different from source to source.

 

So in order to create “one vision of the truth” and guarantee a flawless working environment where system complexity and solutions are invisible for the business a lot of business and technology knowhow needs to be in place when building the integration. Talk to us and profit from IncQ’s broad Performance Management and Risk Management experience.

 

Many organisations work diligently to achieve Payment Card Industry Data Security Standard (PCIDSS) compliance in year one, but only 21% of organisations remain fully compliant at the time of the 2011 Report on Compliance**.

So, how can your organisation sustain PCIDSS compliance?

To date, the most common approach has been to establish a PCIDSS “project”, typically with a beginning and an end with the objective to “achieve compliance”.  However, achieving a sustainable compliance program means developing on going, maintainable business practices with the right people, processes and technology.

The PCIcomply framework provides a centralised PCIDSS compliance repository for all PCIDSS obligations, the applicable controls as well as the tools for enterprise wide monitoring, testing and reporting of PCIDSS compliance.  The solution includes workflows to support each process, Information Security Policy lifecycle management and certifications, and integration with Enterprise Risk Management (ERM) and PCIcomply as part of a multi-compliance framework.

What is the PCIcomply Framework and How Does It Do This?

To understand how the PCIcomply framework is a solution to sustainable PCIDSS compliance, let’s first look at what is PCIDSS and who has to comply, what happens if I do not comply and what are the compliance requirements

What is PCIDSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to help ensure organisations maintain a secure network and proactively protect customer account data.  It is the minimum requirements for handling cardholder information based information security best practices.

The PCI DSS is administered and managed by the Payment Card Industry Security Standards Council (PCI SSC), an independent body that was created by the major payment card brands (including Visa, MasterCard, American Express). The payment card brands and the acquiring banks are responsible for enforcing PCI DSS compliance.

 Who Has to Comply and by When?

 PCI DSS applies to all organisations that accept, acquire, transmit, process, and/or store cardholder data regardless of size and number of transactions.   These organisations are obligated to continuously protect cardholder data to the minimum requirements in the PCI DSS.

The dates for compliance set by the card brands both overseas and Australia have passed.

** Verizon 2011 Payment Card Industry Compliance Report.

What if I do not Comply?

There are two key consequences of non-compliance.  The first relates to the non-compliance with the standard and second are the impacts from a data breach.

Non-Compliance with PCI DSS

The PCI standard forms part of the operating regulations that apply to organisations that operate merchant accounts.  Organisations are contractually required to be compliant through their contracts with the card brands or their acquiring bank.  There are also regulatory requirements around privacy of customer data.  Consequence for non-compliance include: 

• Fines (in the US $5,000 to $100,000 per month) 
• Lawsuits
• Insurance claims
• Terminated banking relationship or increase transaction fees
• Potential inability to process credit cards

Data Breach

 The most sever consequence of non-compliance is the impact to your organisations reputation from a data breach.

Reputation impacts due to a breach of data security is both immediate and long term. Just one breach can do this.   Customers may no longer be confident their data is secure impacting the ability to conduct business both now and into the future.  This includes loss of current and future business, a significant loss in profits and poor industry/community standing.

To fix problems causing the breach and to become PCI compliance is not an overnight fix.  Becoming PCI compliant takes most organisations many months and involves significant investment and resources across the business.

So, what are the PCIDSS Compliance Requirements?

The PCIDSS Standard Requirements (based on the ROC V2.0) are:

• 12 high level compliance requirements within 6 control objectives
• 252 individual requirements 
• 315 testing procedures to determine the compliance status
• 654 test steps to be performed to support the testing procedures
• Applicable to multiple cardholder data environments (CED) – (Y)
• Up to Y x 252 Test Plans to be planned and executed (for multiple CDEs)
• Continuous control monitoring and reporting including
• Quarterly vulnerability scanning 
• Annual penetration testing 
• Annual QSA assessment

Features of a Compliance Program to facilitate compliance with the PCIDSS includes:

• Identify and record organisation CDEs
• Record all PCI requirements and map to relevant CDEs
• Assignment of accountabilities for key compliance activities (eg. Program Owner, requirement owner(s), requirements testers)
• Regular testing of control effectiveness, recording of test results, monitoring and remediation of compliance issues
• Design and maintain Information Security Policies and Procedures and monitoring of policy compliance
• Continuous stakeholder reporting of compliance status
• Compliance certification and sign off

The standard and requirements are not stagnant.  They are fluid in nature to meet the changes in both security and technology.  The Standard is continually revised and up-dated to meet these changing requirements.  This may be year to year.

The Solution to a Sustainable Compliance Approach – PCIcomply Framework
IncQ Consulting has developed the PCIcomply Framework powered by SAP GRC as a solution to sustainable PCI compliance.

What is the PCIcomply Framework?

The PCIcomply framework is a single enterprise automated repository for all compliance data.   It supports compliance monitoring and reporting frameworks and processes and can form part of an Enterprise Governance, Risk and Compliance Framework (eGRC).

PCIcomply enables: 

• Recording of the PCI DSS requirements – 12 high level and 252 individual requirements
• Recording of the testing procedures, tests steps and testing method (based on the ROC)
• Recording organisations CDEs
• Linking of the relevant PCI DSS requirements (and associated testing procedures) to CDE
• Linking to business processes
• Assignment of individual accountabilities 
• Planning and activation of Test Plans (via automated workflows)
• Recording of individual test results 
• Automated remediation processes to address compliance failures
• Policy Lifecycle Management functionality to assist with:
• Creation, maintenance, revision and publication of policies
• Mapping of controls, risks and compliance programs to specific policies
• Compliance status reporting (high level and granular)
• Compliance certification and sign off 

By design, PCIcomply enables multiple business areas and user to access, record, and monitor, manage and report their PCI requirements in a single system.  The assignment of ownership to key activities and the automated workflows ensures compliance activities are performed when required.  The integrated reporting function enables timely analysis and reporting of compliance data, determination of compliance status and the management of any compliance issues.

Other Features of PCIcomply

Additional features PCIcomply provide:

• Supports best practice governance, risk and compliance frameworks by promoting collaboration, accountability, transparency and consistency in the management of risk and compliance requirements.
• Integration with Enterprise Risk Management (ERM) providing an enterprise-wide risk and compliance view.
• Part of a multi-compliance framework enabling the mapping of controls to multiple regulations and policies.  Can also support additional regulations and policies and other review and audit processes.
• Audit log of all data, results, changes and updates.

What are the Business Benefits of a Sustainable Compliance Approach?

 The business benefits of a sustainable compliance approach are: 

• Single establishment
• In Place
• Continuous Business As Usual function
• Multiple users across multiple business areas
• Sustainable 
• Lower overall cost of compliance 
• Timely and informed decision making based on available and up-to-date PCI compliance data
• Ability to adjust obligation/requirement changes in a consistent and timely manner
• Ability to monitor and manage Information Security Policy effectiveness and to proactively take action on policy compliance issues

In Summary – PCIcomply, a Solution to Sustainable PCI DSS Compliance

 The PCI standard is a complex, onerous and continuous compliance requirement that requires the development of maintainable business practices with the right people, process and technology to ensure sustainable compliance.

The PCIcomply Framework powered by SAP GRC provides a solution to sustainable PCI compliance.  The integrated central repository for compliance data enables the recording, testing, monitoring and reporting of PCI requirements. The assignment of ownership to key activities and the automated workflows ensures compliance activities are performed when required.  The Policy Lifecycle Management feature enables the linking of controls, risks and compliance programs to specific policies such as the Information Security Policy.

PCIcomply is a component of a multi-compliance framework that can support additional Regulations and Policies and other review and audit processes and forms the basis of a roadmap to eGRC.