DKIS ALP Group GRC Platform (Governance, Risk Management and Compliance)

2019: Release of the GRC platform

On June 26, 2019 the Department of corporate information systems of ALP Group announced release of an import-independent technology platform of GRC. Development of DKIS allows to build in a complex of the Governance, Risk Management and Compliance functions the modern enterprise management systems (classes ERP and i-ERP) based on business software of 1C Company and its partners. According to the developer, on the functionality this GRC platform is comparable to the leading foreign analogs focused on the western ERP systems.

As noted in DKIS ALP Group, existence of the integrated complex of the GRC functions in an enterprise management system simplifies understanding of IT risks by heads of the organization. And also allows to control and reduce risks at any changes – whether it be the global transition to other principles of the organization of work covering all enterprise (for example, as a result of its digital transformation and (or) implementation of management on the basis of data – DDM), or a continuous flow of various rather small improvements at the level of separate functional divisions, business processes or territorial units. Besides, implementation in the ERP system of the concept of GRC which became the actual standard for the large organizations allows to extend to business software processes and practice of centralized operation by information security. The ALP Group GRC system is of special interest for the largest organizations where to solve problems of GRC without specialized instruments of automation impracticablly, and duplication and a disagreement of the Governance, Compliance and Risk Management functions can lead to very big costs.

ALP Group emphasized that a GRC system, thanks to integration into the 1C Platform, snizht risks in those business systems where because of the nature of the processed information of an effect of violation of restrictions or implementation of risks can be especially heavy or even destructive for the organization.

According to the statement of the developer, the DKIS GRC platform allows users (normally it is internal and external auditors) to create the compact formalized description of business risks, significant for the organization, and also to connect them with dangerous features of cybersecurity roles and combination of access rights which create conditions for implementation of these risks. Bans are set in the form of so-called SOD restrictions which violation creates SOD risks. The Russian enterprises consider identification and elimination of these risks one of the most perspective ways of increase in the IB real level. And the ALP Group GRC platform allows to solve this problem, having covered processes of formalization of risks and also automatic identification and elimination of violations of SOD restrictions.

According to the developer, in addition to versatile tools for the independent description of any risks and restrictions, important for the organization, in the ALP Group GRC system there are also prepared sets of restrictions conforming to requirements of the regulatory base of other states, in particular, of the law Sarbensa-Oxley (Sarbanes – Oxley Act, or SOX). The number and structure of such packets will be adjusted taking into account requirements of the Russian organizations.

The algorithm of automatic identification of the SOD conflicts of the ALP Group GRP platform is based on comparison of model of risks to the actual rights appointed to the employees in business applications. Loading of these rights and also descriptions of groups and other necessary parameters is automatic; for this purpose it is necessary to configure once the mechanism of integration of a GRC system into the 1C Platform. At the same time users of a GRC system receive easily interpreted reports, working with which, they can not only reveal discrepancies, but also plan control procedures for elimination of the revealed risks, and through certain time – to check their observance and, respectively, to estimate real efficiency of measures for correction of the revealed dangerous situations, noted in ALP Group.

In some cases presence of potentially dangerous combination of access rights at heads and some staff of the organization (for example, at the chief accountant) follows from their job responsibilities and is not a consequence of actions of malefactors or errors. The auditor can note and exclude such combinations from risk analysis, having made reports much more compact and focused on real problems, the developer emphasized.

In ALP Group also noted what GRC ситема allows to set SOD restrictions and to analyze the actual distribution of the rights at once on several "cuts". It gives the chance to cover all almost important types of restrictions and also to make more transparent both descriptions of SOD rules, and the revealed violations.

As of June, 2019 a GRC system underwent comprehensive testing both in the internal ALP Group projects, and at a number of clients of the company. Development of DKIS is completely ready to application in projects of any complexity in the organizations of any scale, the developer claims.