• Home
• About
• Advertising
• Contact
• Podcasts and Resources
  • VoIP Resources
  • Disaster Recovery/Business Continuity Resources
  • Security Resources
  • Software-as-a-Service Resources
  • Storage Resources
  • Unified Communications Resources
  • Virtualization Resource Guide
  • Wireless/Mobility Resources
• Quick Takes Archive

Subscribe

GRC: Too Many Ways to Skin a Cat?

In a perfect business world, profits would always go up, IT would always be in alignment with the business, and governance, risk and compliance (GRC) would be managed by one standard platform serving all business units and departments across the enterprise.

The reality for many CIOs, though, is that they’ve inherited, or adapted to, disparate platforms for different GRC solutions to fill the needs of different entities within the organization. The result is that many businesses manage GRC in silos, perpetuating duplication and lack of coordination. This approach is inefficient at best, and dangerous at worst.

In fact, this may be a much more significant danger than many realize. The $7 billion loss caused by trading fraud at Societe Generale, for example, was apparently the result of a relatively junior employee circumventing controls and falsifying electronic communications while making unauthorized trades that in total exceeded the bank’s market capitalization.

It’s likely that scattered risk and compliance data marts played a role in the bank’s inability to detect the immense risks the rogue trader was causing. A set of IT controls were implemented to manage a business risk. But these controls proved to be insufficient, and subsequently it was revealed that a disconnect existed between the IT controls and the business risk that was managed.

It is highly unlikely that the Societe Generale IT control owners knew that the risk exposure their controls were mitigating had grown to a figure as large as the bank’s total market capitalization and would result in a loss of $7 billion.

While few of us are likely to run into such a huge risk event, the lack of a holistic GRC vision will still cause an immense amount of pain for risk managers trying to get a clear picture of risk throughout the business. This can lead to disaster if these managers are unable to provide upper management with a true picture of risk across the enterprise.

How did we get into this mess? In the rush to address Sarbanes-Oxley (SOX) compliance, decisions over solution acquisition were largely driven by the CFO’s office, with the tacit approval of IT. Few IT organizations standardized on a strategy for managing risk and compliance data across the enterprise.

As GRC decisions came to the fore, IT was comfortable letting business groups drive the decision based on their particular needs. As a result, different parts of the problem are addressed by a wide and disparate range of solutions including spreadsheets, custom applications, and commercial applications. IT for example, has been focused on its own systems for managing risk and compliance, amplifying the traditional disconnect between business and IT and resulting in a lack of understanding of how the other side does GRC—resulting in a fragmented and siloed approach across the enterprise.

In part, this situation reflects the lack of insight that IT, in general, has into the risks that business groups are dealing with. So they are reluctant to impose a solution on something they don’t understand. Also, IT departments have their own risk issues to deal with, which are centered largely on security issues.

For each new regulation or risk discipline, organizations typically implement a new technology point-solution aimed at the specific mandate. This fragmented approach limits an organization’s ability to streamline risk and compliance processes and reduce costs.

It is costly and even dangerous to manage GRC in this manner, as the extent of an organization’s risks remain hidden from executives and largely unmanaged.

It also obscures the opportunity to integrate risk and compliance to gain a holistic view of the firm’s risk landscape. These are observations on which CIOs can find common ground with CFOs. It’s up to CIOs to join with CFOs to turn the tide and develop a strategy to either leverage existing technology or put in place a standard platform to support risk and compliance data and practices.

In a recent white paper, aptly titled “CIO at the Center,” the OCEG observed that, “An integrated GRC effort is a transforming initiative, affecting how the enterprise will function both in its strategic orientation and in its operational focus. At the center of it all, the CIO must understand the implications of GRC and be prepared to guide the organization through the change management process.”

This is very much in line with the adage that IT needs to better align its capabilities with the needs of the business. But when it comes to risk, it’s a little more complicated. The CIO and his staff needs to not only understand the risk of moving information from Point A to Point B but they also need to understand more about the nature of the risk in the content held within those packets of data. How critical is the customer data being transported? What happens to the business if the sales force automation system goes down in the last week of the quarter? Without visibility into such issues, it’s difficult to understand the true business risks that IT controls are supposed to be mitigating.

Of course, that sounds a lot easier in theory than it actually is in practice. IT is accustomed to a high degree of standardization, utilizing common frameworks and common standards that provide checklists and established best practices that can be utilized. When it comes to business issues, risk may seem much more “touchy feely” and free-form, thus resistant to the automation and electronic verification that is the essence of computer information systems. CIOs therefore write off the methodologies taken by the business as inapplicable, when they should be looking to combine forces, learn from each other, and look to standardize on a common approach.

It’s critical for IT to have some understanding of the business risk, just as it’s increasingly important for CFOs to have automated, electronic GRC systems that span the entire organization. Developing a common language that both business managers and IT can relate to will go a long way in breaking down the barriers that prevent movement to an integrated GRC framework. In essence, IT and the business side must establish a shared risk universe and a shared concept of business processes so they can start to work together.

In many ways, GRC today is at a stage similar to CRM 10 or 15 years ago. Then, each department maintained its own customer relations management tools, resulting in inefficiency and customer frustration, as well as duplication of effort and redundancy of investment. No company today would countenance a silo approach to CRM or ERP, but many have allowed GRC to evolve in a manner that lacks business sense and, worse, can leave the business exposed to hidden dangers.

About Gordon Burnes: As Vice President, Sales and Marketing, Gordon M. Burnes is responsible for leading the company’s sales, marketing and partnership efforts to help drive OpenPages’ revenue growth. Burnes brings to OpenPages seventeen years of experience working with high growth companies. Burnes comes to OpenPages from McNamee Lawrence, a boutique investment bank focused on the information technology sector, where he provided strategic financial advisory services to mid-market software companies.

Comments

Copyright © 2007 The IT-Finance Connection · Revolution News theme by Brian Gardner | Admin | Log in