Governance, Risk and Compliance

3 Renowned Certifications in GRC

CEOs are always on the lookout for dependable folks who can identify potential exposures and quantify the impacts of risk on an organization while protecting the interests of employees, shareholders, other organizations and the general public. Here are six top-rated Governance, Risk and Compliance (GRC) certifications that are worth the time, cost and effort.

In the wake of several well-publicized corporate scandals about 15 years ago – Enron and WorldCom, to name two – and the passage of the Sarbanes-Oxley Act in 2002, organizations that must adhere to regulations for data security, financial accountability and consumer privacy can’t do without someone making sure internal processes are being carried out properly. Enter the need for competent governance, risk and compliance (GRC) professionals.

The goal of GRC, in general, is to ensure that proper policies and controls are in place to reduce risk, to set up a system of checks and balances to alert personnel when new risks materialize and to manage business processes more efficiently and proactively. Professionals with a GRC certification must juggle stakeholder expectations with business objectives, and ensure that organizational objectives are met while meeting compliance requirements. That’s an incredible amount of responsibility, and is absolutely necessary in today’s business climate.

All kinds of job roles require or benefit from a GRC certification, such as chief information officer, IT security analyst, security engineer architect, information assurance program manager and senior IT auditor, among others.

here are our picks for GRC certifications.

Certified in Risk and Information Systems Control (CRISC)
One of the most sought-after GRC certifications by candidates and employers alike is the CRISC from ISACA, which identifies IT professionals who are responsible for managing IT and enterprise risk and ensuring that risk management goals are met. A CRISC is often heavily involved with overseeing the development, implementation and maintenance of information system (IS) controls designed to secure systems and manage risk. Since 2010, ISACA has issued over 18,000 CRISC credentials, which is a relatively high number in the GRC certification field.

The CRISC exam covers four domains: Risk Identification (Domain 1), Risk Assessment (Domain 2), Risk Response and Mitigation (Domain 3) and Risk and Control Monitoring and Reporting (Domain 4).

Requirements: Pass one exam (150 questions, four hours), prove a minimum of three years of cumulative work experience in IT risk and information systems associated with at least two of the four domains, adhere to the ISACA Code of Professional Ethics and comply with the CRISC Continuing Education Policy.

Exam cost: $440 to $675, depending on whether you are an ISACA member and when you register.

Project Management Institute-Risk Management Professional (PMI-RMP)
Anyone who has pursued a project management certification is familiar with the Project Management Institute (PMI), either through research or by picking up the coveted Project Management Professional (PMP) credential. However, PMI also offers the Risk Management Profession (PMI-RMP) certification, as well as several others that focus on business management, processes, analysis and scheduling.

The PMI-RMP identifies IT professionals involved with large projects or working in complex environments who assess and identify project-based risks. They are also competent in designing and implementing mitigation plans that counter the risks from system vulnerabilities, natural disasters and the like.

The PMI-RMP exam covers five knowledge domains: Risk Strategy and Planning (Domain 1), Stakeholder Engagement (Domain 2), Risk Process Facilitation (Domain 3), Risk Monitoring and Reporting (Domain 4) and Perform Specialized Risk Analyses (Domain 5).

Requirements: Pass one exam (170 questions, 3.5 hours), prove achievement of a secondary degree (high school diploma, associate’s degree or global equivalent), and prove at least 4,500 hours of project risk management experience and 40 hours of project risk management education. The experience and education requirement can be substituted with a four-year degree (bachelor’s degree or global equivalent), at least 3,000 hours of project risk management experience and 30 hours of project risk management education.

Exam cost: $520 (member), $670 (non-member).

Certification in Risk Management Assurance (CRMA)
The Institute of Internal Auditors (IIA) is a global professional association that provides information, networking opportunities and education to auditors in business, government and the financial services industry. One of the IIA’s certifications is the CRMA, which recognizes individuals who are involved with risk management and assurance, governance, quality assurance and control self-assessment. A CRMA is considered a trusted advisor to senior management and members of audit committees in large organizations.

Requirements: One exam in two parts: CIA Exam Part 1 – Internal Audit Basics (125 questions, 2.5 hours) and CIA Exam Part 2 – Internal Audit Practice (100 questions, 2 hours). In addition, prove achievement of a 3- or 4-year post-secondary degree (or higher), or two years of post-secondary education and five years of internal auditing experience (or equivalent) or seven years of internal auditing experience. Prove at least two years of auditing experience or control-related business experience in risk management or quality assurance. Finally, provide a character reference signed by a person holding an IIA certification or a supervisor, provide proof of identification and agree to abide by the Code of Ethics established by The IIA.

Exam costs: $350 (members), $450 (non-members).



GRC is profitable

By taking an integrated, enterprise-wide management approach, governance, risk and compliance can actually be turned into a profit-centre.

I am sure that it will not come as any surprise that to many organisations compliance to multiple legislative and regulatory standards is seen as another cost and resource burden impacting on  bottom line business goals.

It may be surprising though that to me, that this “hardened cynicism” is understandable and forgivable given that historically new business processes to meet “next big thing” needs are often perceived as having added little to the business other than cost.

With reference to compliance, some argue that the same cynics mantra can be chanted again. For as the tidal wave of recent new standards has appeared, with draconian penalties for non-compliance, many private and public sector organisations alike have adopted multiple systems to manage compliance problems on a case-by-case basis. Unfortunately, too often responsibility for ensuring compliance lay initially with individual line managers; not trained compliance staff. Here  imposition of new processes has led to a tick box culture where managers effectively do the minimum to comply hoping to minimise the impact on their department’s daily working practices. A recent Achiever survey revealed too that 8 out of 10 managers responsible for GRC felt that “overkill” levels of “noise” were too onerous and threatening management attitudes.

Integration and coordination
However, often even where trained corporate compliance officers have been involved, the adoption of multiple, mutually exclusive systems has generally in my opinion failed and will continue to fail. This is not only because of the costs and resource commitments involved, but also because the complete lack of integration or coordination between these systems, across the enterprise generates significant and unnecessary complexity. This in turn results in a lack of management buy-in and understanding.

However, before one predicts a widespread backlash, I see compliance starting to emerge from this self-inflicted and troubled puberty, and that its real and unsung benefits are driving the desire by organisations themselves to invest in getting GRC right. The reasoning behind this change is that effective management of compliance and risk issues are now being seen not as the pariah of control freaks hell-bent on frustrating business, but more as a potential profit-centre. This attitudinal turnaround has happened because it has dawned on senior management that the only effective way forward is to deploy a centralised enterprise-wide system, which eliminates the problems of using multiple systems.

For any enterprise wide Governance Risk and Compliance management system to be effective though, it must delivers a single, integrated management strategy across the whole organisation, be harmonious with the organisational or business goals and drill down into every-day business processes. In short, we are talking about GRC systems going beyond mere compliance, instead serving as a catalyst for enhancing overall business consistency, efficiency and accountability. This is in sharp contrast to the historic approach of multiple systems that do little more than mirror legal requirements.

Ease of access to infromation
On the compliance front, this approach provides a framework that immediately saves money, eliminates duplication and introduces increased efficiency and productivity into the business. This framework coordinates all areas from health and safety and employment legislation to high profile regulatory compliance areas such as Sarbanes Oxley and Basel II. It should integrate too with key market specific directives such as MiFID in the financial services industry.

It must be role sensitive when it reaches operational management – in other words they can access exactly the information they need for their role. Each manager should have a clear single view of those GRC standards that apply to their area of operation, ongoing performance against these criteria, links to archive resources and if possible up to the minute RSS feeds to inform or alert them to daily task-relevant developments that impact on their ability to comply or avoid risk. In short, the system is not a burden to be coped with, rather it is an asset that can improve the role performance and the upward and horizontal lines of communication between departments.

In an ideal world, access to this information is delivered by portal or at least via the existing company intranet. The responsibility for pulling this together should either rest with a trained compliance operation or the IT department.

The benefits of this integrated role-sensitive approach vary from organisation to organisation but are likely to include the reduction of system maintenance costs, training requirements, and IT support resources and ensures greater take up by and communication between employees across the business. More importantly, the consistency and structure it delivers on an operational day-to-day basis will help staff at all levels understand their roles and responsibilities better and improve the organisation’s ability to make better decisions, faster by defining decision rights for new services and in particular the decisions rights that exists between the business & IT. 

 By this means GRC ensures that all organisational stakeholders have a clear understanding of what decisions need to be made, who should make them when. This eliminates confusion and uncertainty; two of the greatest threats to teamwork and the ability of teams to work well together.

 Further, an efficient enterprise-wide roles based system will enable automation of ongoing policy and process definition & recording; manage access rights, alerts and escalations, and deliver timely actions to the right people for follow up. The resources previously used down the line propping up multiple systems will be free to allocate back to achieving operational goals, concentrating on business tasks. IT staff are also more in touch with the business too and can work better with individual units delivering high levels of service at a lower cost.

 Benefits of compliance management
When one looks at the risk side of the equation, the enterprise wide approach delivers even greater benefits. With the introduction of an integrated and centralised, risk based strategy the areas of highest risk and cost to the business are flagged more quickly and consistently allowing them to be addressed as a priority. Management are able to see at a glance where the highest problem areas occur and with what frequency specific problems arise. This ensures that they are able to act more quickly and consistently than before. 

 Previously, it was often difficult to know the areas of highest cost and risk to the business relying instead on a “they who shout loudest” gains most attention culture. Less vaunted risks would often be overlooked and yet prove to be the most costly of all. This was not only in terms of the costs of recovering from a problem but also in the worst cases, serious damage to corporate reputation and goodwill. This of course ultimately is reflected negatively in the balance sheet.  

In contrast, by determining that Governance, Risk and Compliance are systematically managed enterprise-wide, there is a very different impact on the balance sheet: greater profitability. This one fact alone will ensure that the technology to drive GRC forward is destined to become an essential element of best business practice.