By: Rachelle Lowder & Anthony Dacong

When did you last reassess your risk management process? Whether in times of peace or conflict, the Department of Defense (DoD) must have the proper tools in place to support on-demand, data-driven decisions drawn from timely and accurate operational, financial and technical information. In early 2020, the DoD struck out to make this a reality by developing a digital Governance, Risk and Compliance (GRC) system that would unite the organization in a new and innovative way.

Goodbye Data Silos, Hello Integration

GRC is the integrated capabilities that enable an organization to achieve objectives, address uncertainty and act with integrity. Every organization — private and public entities, large and small businesses — face unique challenges, for which GRC provides a framework for navigating demands amid an ever-changing and unpredictable business climate.

Although organizations have been governed and risk and compliance have been managed long before they were ever integrated, the development of these digital GRC systems has been revolutionary. GRC systems support the transition from data silos — which are infinitely harder to leverage — by creating an environment that establishes a common foundation for authoritative guidance, risks and controls across an organization. This unified approach eases system complexity, strengthens user adoption, reduces training time and enables cross-functional collaboration, all while elevating the DoD’s ability to act instead of just react.

The Situation: A Fragmented Legacy Approach

In this digital age, we are faced with large amounts of data that are only impactful when analyzed and related properly.

One of Ignite Digital Services’ clients knew this firsthand. Although their internal control environment was relatively mature before their legacy system lost the ability to operate (ATO), the platform siloed data and didn’t present a comprehensive picture of the command’s internal control environment. The client became the pilot for the new GRC system, serving as the test case for whether an integrated platform would better uphold the goals of GRC controls.

This trend has been seen across the DoD. The department and its agencies have several internal control environments that track meaningful data. The downside, however, is that these environments tend to silo data without a clear, comprehensive picture of the internal control data collaboratively or across functionalities.

The Solution: An Enterprise Tool for Risk Management Process

Although it is common to associate GRC as solely an internal control support system, the risk management process tool is built to support an enterprise vision while improving transparency, accountability, resource management, information silos and data overload across the DoD. Ignite Digital Services knew that to be successful, our solution would have to address the three components of GRC proactively and seamlessly:

Governance: Governance assembles processes and structures implemented by a governing body to inform, direct, manage and monitor the organization’s activities to achieve its objectives.

How It Works: Our solution provides the framework to help establish a scalable and flexible environment to manage laws, regulations, policies, guidance and more by supporting the ability to create, manage and distribute corporate and regulatory policies, standards, and procedures that define how DoD is governed and operated.

Risk: Risk is measured in terms of impact and likelihood and is defined as the possibility of an event occurring that will affect organizational objectives. Expanding further, risk management is a process to identify, assess, manage and control potential events or situations to provide reasonable assurance an organization will meet its objectives.

How It Works: Our solution informs the enterprise about its risks and provides the necessary transparency to react to risks that exceed acceptable levels. Additionally, it provides the capability to document risks throughout the organization while applying bottom-up (granular risk register) view or top-down (command or enterprise) view for a more holistic understanding of the risk environment while supporting financial, technical and operational risks.

Compliance: Compliance evaluates how well the organization manages processes and internal controls to stay within the guidelines set by the laws and regulations. To maintain compliance, the internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.

How It Works: Our solution enables leaders to make fully informed risk-based business decisions to support financial compliance. It also allows users to assess and report on the performance of controls in addition to automated control assessment and monitoring.

The GRC system excels at creating connection points and visualizing data in ways previously unrealized — creating a new level of transparency within the organization. It also integrates into daily operational management, supports internal control initiatives such as Financial Improvement and Audit Readiness (FIAR), and delivers on-demand metrics to newly engaged stakeholders.

What Does This Mean for You?

GRC tools are not going away; if anything, a digitally integrated solution will be the standard for the DoD in the future. Knowing how to structure your federal department to draw from and rely on GRC controls will be essential in successfully deploying management capabilities.

If you’re looking for a GRC solution that can ensure operational and management integrity, consider Ignite Digital Services as a development partner.

Rachelle Lowder is a Manager and Anthony Dacong is a Senior Consultant for Ignite Digital Services, specializing in audit, business process improvement and financial management within the DoN.