Q&A with our Developers

For 23 years, Longevity Consulting LLC has helped federal agencies establish Governance, Risk and compliance (GRC) processes. With our deep understanding of the types of organizational risks and federal regulations that bind organizations, we have helped stakeholders and executives at dozens of agencies identify and mitigate risk throughout the project lifecycle. In the following Q&A, Longevity’s Chief Operations Officer (COO) Eric Thompson talks developing FedRisk, and the importance of having a sophisticated GRC system.

Why do federal agencies need Governance Risk & Compliance (GRC)?

GRC provides a mechanism and structure for agencies to evaluate and monitor compliance for institutions impacted by a specific federal regulation. In many cases, agencies are monitoring other entities as well as following the regulations. Thus, GRC is important from both a monitoring/self-monitoring and audit perspective. For example, in the case of Personally Identifiable Information (PII) and A123 Controls, federal agencies monitor entities that are bound by regulations and how they monitor themselves for regulations by which they are bound.

Why is having the right GRC system so crucial to SEC-regulated companies?

GRC is critical for SEC-regulated companies because it’s about ensuring those firms have the right tools and mechanisms in place to assess many factors. For example, accounting methods, ethical factors (complying with what is ethical and right by consumers and shareholders), standards and quality controls – our GRC software assesses and monitors if those entities have those processes and tools in place for the organization, then we work together to integrate them.

What are the first things organizations should do in planning for GRC management?

Once there is a clear understanding amongst stakeholders of the business area in which the organization operates and the compliance and regulatory areas they are bound by, the organization should start to assess the specific types of risk that may be involved, whether it be risk for the mission, such as specific business areas, or something directly tied to one of the regulatory requirements that the organization needs to meet (fines, reputation risk, impact to overall revenue structure, funding, etc.). If they are not complying with certain regulatory requirements, they should start assessing the severity of those risks and determine prioritization. A GRC tool is instrumental in this – it allows the organization to assess their key risks and report back to stakeholders for each set of activities associated with mitigating risks and their controls. That, in turn, builds a good framework for automatic auditing, to see how the organization is complying with each of the regulations, and gives a health check for each. It’s also important to identify the people in the organization who identify risk and determine how you manage it. We take both a top down and bottom-up approach to risk control, then get stakeholders on board to address them. Organizations serious about GRC need senior leadership buy-in, as well as people working within the organization to assist with implementation of the GRC program.

How does FedRisk address the common challenges managers face with GRC?

Our goal is to provide an end-to-end solution that gives organizations the ability to quickly identify a governance framework specifically associated with a project or a regulation by which the organization is bound, and then assess the project requirements. We built all that into the tool to help organizations get started in the process without some of the most common challenges. The software can help you track down requirements, figure out how you are going to manage them and what you will have as your data store. All that information can be pushed to end users on more of a system generated and time-based type schedule so that the end user doesn’t always have to initiate. The system provides notifications and metric summaries to indicate the status of any given audit or risk that’s been defined in the system.

What makes FedRisk innovative?

Working from the perspective of users who may be facing increasing risk management costs and non-compliance penalties, our developers built the following innovations into the platform:
  • A systematic approach to risk identification that automates the process of identifying, assessing, and prioritizing risks across departments, business units, and processes, allowing for better decision-making.
  • Automated workflows and real-time data that facilitates cross-departmental collaboration that cuts time and cost associated with managing risks.
  • A centralized repository of policies, procedures, and controls that provides real-time monitoring of compliance activities.
  • Advanced reporting capabilities for analyzing data that aids in identifying trends.
  • Task automation, control testing, and compliance monitoring that cuts the time and effort required to manage risks, so organizations can focus on more strategic initiatives.
  • A platform for sharing information, documents, and reports, improving communication and collaboration and ensuring that everyone is working towards the same goals.
  • Data security compliance for enterprise systems and sensitive information such as Payment Card Industry (PCI), Personally Identifiable Information (PII), and Health Insurance Portability and Accountability Act (HIPAA).

Does FedRisk Support Custom Workflow?

Absolutely. FedRisk provides a workflow customizable module that allows organizations to integrate governance, risk, and compliance into any business process. Users can automate compliance monitoring by adding events that trigger actions within the system. FedRisk can automatically assign a task, create a risk, perform an audit test, and send an email notification – based on the status of each workflow step.

Does FedRisk Support Approval Workflows?

It does! FedRisk allows users to initiate an approval request for any system data type (i.e., Document, Risk, Audit Test, Control, Task, CAP/POAM, WBS, etc). Approval workflows can have one or more approvers and multiple stakeholders can be copied on that of the approval request.

What trends in GRC did you consider in developing the FedRisk solution?

Our developers worked from the perspective of users who we know can benefit from frameworks already baked into the system. With more than 20 frameworks included out-of-the-box, FedRisk serves as a single cloud-based platform that all organizational users can leverage to manage risk and compliance. We also incorporated a Work Breakdown Structure (WBS) component into FedRisk that allows us to track structures associated with any project in particular, but specifically those most beneficial and integrated with risk-based projects defined by GRC.

What is Longevity’s experience and history with GRC?

As a management consulting firm, our strategy experts have helped identify, define, track and monitor organizational risk for more than 20 years. Our focus has been to understand which regulations bind certain organizations and how to help senior leadership and organizational stakeholders identify and mitigate those risks. We have always looked for opportunities to create tools that provide value for our customers using our insights and overarching industry knowledge, and we have hired dozens of people to assist us with the entire GRC life cycle. Our teams have expertise that ranges from assisting organizations with their cyber security risk and risk management framework to implementing IT security and internal controls that agencies must self-monitor annually.

Who can benefit most from FedRisk?

We designed our platform to support organizations regulated by federal mandates, to protect against large fines and lost revenue for non-compliance. Our product also supports federal employees who oversee compliance for multiple organizations. FedRisk captures all GRC-related risks across the entire organization, identifies interdependencies, and quickly determines and prioritizes high-impact resolution techniques.
  • Those who oversee cybersecurity in an organization can use FedRisk to conduct the entire Risk Management Framework (RMF) process, track risks at each stage, notify stakeholders of action items, and view real-time project status reports. The Authority to Operate (ATO) approval process is also expedited with our pre-defined, customizable WBS templates.
  • Chief Risk Officers, Business Area Owners, Data Risk Managers, and Risk Management Analysts play a crucial role in health data risk privacy and compliance oversight. They can use FedRisk’s integration with WBS to gain insights into the status, risk posture, and variance for all GRC projects such as environmental compliance, health and safety compliance, emergency preparedness and other risk management initiatives.
  • National defense programs need robust compliance mechanisms to meet goals critical for national security and the protection of sensitive information. Using the FedRisk platform supports CMMC compliance, Supply Chain Risk Management Compliance, the protection of national security, ensures the effectiveness of defense operations, and prevents unauthorized access to sensitive information and technologies.

What return on investment can federal organizations expect when they integrate FedRisk into the GRC lifecycle? 

Our analysis projects organizations may realize the following benefits by using FedRisk:
  • Up to a 65% reduction in labor hours required to manage enterprise risk
  • Resolve corrective action plans and plans of actions and milestones up to three times faster
  • Real-time notifications for all GRC-related project updates
  • Up to a 44% reduction in total risk management costs
  • 50% reduction in audit support costs
When organizational compliance stakeholders (Chief Information Security Officers, Auditors, GRC Analysts and IT Security Analysts) are alerted to potential compliance pitfalls, they can quickly course correct. Our suite of interactive dashboards, task tracking and risk-monitoring tools for all GRC projects provide up-to-date snapshots of regulatory compliance, risk posture and target areas that require mitigation. We built our platform to support continuous audit readiness. Stakeholders are automatically notified of compliance and audit status, tasks can be filtered by project and organization, and the dashboard displays audit history and performance metrics. Our WBS module also develops detailed project plans that map to audit and GRC maintenance lifecycles, and provides real-time performance metrics on cost, schedule, budget, and task completion status.  
Revolutionizing Internal Controls Management for Robust Compliance

Revolutionizing Internal Controls Management for Robust Compliance

In today’s fast-moving regulatory environment, maintaining effective internal controls isn’t just a compliance necessity—it’s vital for operational success. Have you found yourself navigating compliance hurdles, struggling with outdated control frameworks, or spending too much time manually managing compliance audits?

Ensuring HIPAA and Data Privacy Compliance with Confidence

Ensuring HIPAA and Data Privacy Compliance with Confidence

In today’s interconnected healthcare environment, data privacy isn’t just important—it’s critical. Organizations handling protected health information (PHI) face stringent regulatory requirements, notably under the Health Insurance Portability and Accountability Act (HIPAA).