Unifying Governance, Risk and Compliance
By Minda Zetlin
Over the past several years, a number of highly publicized security breaches have spawned an array of new regulations that govern how companies protect data and also require detailed reporting. As a result of these breaches, internal risk management teams and auditors have stepped up their efforts to ensure that data is secure, while customers and business partners have begun requiring the companies they do business with to adhere to a variety of industry standards.
These developments have left many IT departments scrambling to keep up with the rapidly growing requirement to provide reports, demonstrate regulatory compliance and respond to both internal and external requests for detailed security information.
“Multiple obligations start to intersect with one another,” notes Joe Atkinson, principal in PricewaterhouseCoopers’ advisory practice.
For example, an executive in contract management might create a task force to review an organization’s compliance with Payment Card Industry (PCI) standards, while another team is charged with finding out how those requirements are being met. At the same time, the company’s upper management is collecting information on security breaches.
As these requests come in, IT leaders might find themselves wondering if there isn’t a better way to manage priorities.
GRC (Governance, Risk and Compliance) could be the solution. GRC is not so much a tool or methodology as it is a management philosophy for bringing these different disciplines together and dealing with them as a unified whole, both inside and outside of IT functions.
“It’s not about having a checklist,” says Chris McClean, an analyst with Forrester Research. “It’s about creating a framework.”
How, exactly, does GRC work? Approaches are as varied as the companies that use them. But there are some principles that underlie every successful GRC effort:
GRC is not the same as centralization “When people talk about integrating an activity, they sometimes mean centralization of that activity,” Atkinson says. But GRC is really about how the activity is managed, and how IT responds to requests for computing capacity.
Instead, he says, deciding whether to centralize data is just one of many decisions IT management must make as part of a GRC effort.
“Having a common method of working is more important than having everyone sitting together in the same data center,” notes Shawn Connors, director at PricewaterhouseCoopers.
GRC requires a common set of controls, processes, and measurements “When companies assess risk in lots of different ways throughout the organization, with lots of different tools and different forms, the likelihood they’ll get good information from the process goes down dramatically,” Atkinson says. “When they start pulling those things together, they gain efficiency, and also greater breadth of vision.”
The need for standardized controls leads many IT leaders to assume that installing the right recording or measurement software is all they have to do to manage GRC. While software can certainly help, effectively managing GRC requires a change of mindset as well.
GRC centers on risk management “From a functional perspective, it’s really good to start using a risk-based approach to IT controls,” McClean says. “Begin by looking at different requirements and at things that can happen from a risk perspective. What would affect performance or uptime, and what is the greatest likelihood of that happening? This allows IT management to make more informed decisions.”
GRC helps manage resources wisely “Every time someone asks IT to produce a report or develop a new risk management capability, they’re utilizing resources,” Atkinson says. “When several requests arrive from several different silos, it becomes much more difficult to compare those risks and allocate the right resources.”
Though it may seem heretical, managing GRC wisely may sometimes mean turning down a request for information, or relegating it to the back of the line, especially if the organization is facing a greater risk somewhere else.
“IT departments run out of resources long before they run out of risks,” Atkinson notes.
Getting started with GRC
What’s the best way to get a GRC effort off the ground? There’s no one answer, but here are some steps that can help:
1. Take time to see the big picture This can be a challenge for IT departments racing to fulfill constantly changing security and compliance needs. But GRC requires strategic thinking, so it’s important to look beyond the current emergency and analyze the common elements among the different reports being requested.
2. Think process, not project Don’t approach GRC as a project with a start and end date, at which point it will be “fully” in place. With compliance and other requirements changing almost every day, unifying governance, risk and compliance is an ongoing process that should guide management decisions into the future.
3. Convene a cross-functional team Many organizations choose one individual to be responsible for coordinating GRC efforts -- often someone in IT security or risk management. While this can be an effective approach, it may be even more effective to bring together a team to coordinate GRC. The team should consist of representatives from functions both inside and outside IT with a stake in GRC. These functions might include contract management, legal and internal auditing, to name just a few.
Finally, though GRC is an all-encompassing way to look at risk management, it may not be useful to start out with a grand plan.
“Don’t try to tackle it all at once,” McClean advises.
Instead, he suggests working on specific elements of GRC, such as creating a common framework for IT controls, which will help steer an organization toward the goal of unified GRC.
“The companies that are most successful are those that take a methodical approach,” he says.
Minda Zetlin is co-author of The Geek Gap: Why Business and Technology Professionals Don’t Understand Each Other and Why They Need Each Other to Survive.
|
