CA is a software vendor with over 13.000 employees (as of March 2008) based in Islandia, New York. They are focused on providing IT management solutions – Enterprise IT Management in their definition.

Official website: http://www.ca.com
GRC solutions: http://www.ca.com/us/compliance-management.aspx

Answers from a survey conducted in spring 2009:

1. How does your company define the term “GRC”?

Risk is a measure of the effect of uncertainty on business objectives.  Risk Management is the process by which an organization sets the risk tolerance, identifies potential risks and prioritizes the tolerance for risk based on the organization’s business objectives. Businesses use internal controls to manage and mitigate negative risk throughout the organization. But risk management also includes permitting activities through which the organization may undertake prudent risk in order to take advantage of business opportunities.  The goal of risk management is to reduce loss (due to negative risk) and to create value for the company (through prudent risk-taking).

Compliance is the act of adhering to, and demonstrating adherence to, external laws and regulations as well as internal corporate policies, procedures, and controls. 

Governance is not a single set of processes, nor is it as semi-quantifiable as these other areas are.  Governance is the culture, policies, procedures, and processes that create the environment and structure by which companies are managed.  Governance, for example, includes the oversight of the company’s risk management and compliance programs, to ensure that they meet the strategic, business, legal, and ethical requirements, as interpreted by the Board and executive management.

We interpret GRC to mean the Governance of Risk and Compliance activities across the enterprise.

 2. How do you see the relation between Enterprise Risk Management (ERM) and GRC? Are they synonyms?

Absolutely not.  ERM is the management of enterprise risk – reducing negative risk and managing prudent risk undertaken in order to take advantage of business opportunities.

3. Please describe the software architecture of your company’s GRC portfolio. (What are the components? How do they interact? How closely are they integrated? Same data model? Same interface? Single application? …)

Enclosed is a graphic describing CA GRC Manager.  It consists of a cross-reference repository of all risks, controls, regulations, programs, etc, common services, a series of functional components, role-based dashboards, and interface modules.

4. Are you trying to deliver a complete GRC solution covering all aspects of GRC, or are you focusing on certain aspects only? Which GRC capabilities are you delivering? e.g. audit management, risk assessment, risk reporting, access control…

We deliver a range of functional capabilities (see graphic), including risk management, policy management, program and project management, exception management, and the like.  We do not do complete financial or market risk analysis, but otherwise we support a very comprehensive spectrum of risk and compliance capabilities.

5. What is your GRC software’s unique selling point compared to competitor products? (Please explain why only your software can deliver this advantage.)

Industry-leading program and project management capabilities, because it leverages the proven and scalable Clarity platform.  No other GRC vendor can offer this level of program management capability.

Embedded, comprehensive regulatory repository for easy mapping of controls to regulatory requirements.

Very high, and proven, scalability.  The framework on which GRC Manager is built is in deployment at over 800 customers, some of whom have very large-scale environments.

6. What are the top five benefits your customers gain when deploying your GRC solution?

1. Significantly improved oversight of compliance program and project execution, including full tracking of all compliance costs
2. Centralization of risk and compliance information, including mapping between all objects, to eliminate compliance and risk silos across the organization
3. Reduced compliance costs
4. Elimination of redundant compliance activities and processes
5. Excellent visibility of risk and compliance information, including role-based, customizable dashboards, for improved executive decision-making.

7. As a rule of thumb, which GRC applications and technologies would you centralise? (Where would you apply single, company?wide solutions?)

Centralization of risk and compliance information is important in order to eliminate redundant (and therefore inconsistent) compliance information.  Other key services such as policy management, exception management, program management, etc, also need to be centralized to avoid duplication of effort and inconsistent processes.  Also, risk management processes (identification, assessment, monitoring) should be consistent across the organization.  Risk management can be done at the point of the information related to the risk, but there should be consistency as to how risk is classified and measured.

8. Which areas of your GRC portfolio are you especially trying to improve / further develop in the near future?

In the next release, we will have extensive capabilities for user surveys, as well as other capabilities.

9. What is your company’s vision of an ideal GRC process / technology setup in the future? (How does your vision differ from GRC process and technology landscapes in organisations today?)

We envision continued merging of information and activities related to risk management and compliance, and increased centralization of this information with improved visualization (dashboards) capabilities to support improved risk-related decision making.

We also see a trend towards a common risk management framework across the enterprise, so that there are consistent methods and terminology for risk identification, risk assessment, and risk monitoring.

10. What do you consider to be the key technologies employed in GRC in the future?

We see GRC management increasing integrated with automated IT controls, such as identity management, access management, file and records management, change/configuration management, and other IT controls.  Also, continuous and automated monitoring of these controls, with direct integration with GRC management is important.