Navigating the GRC MazeBy Samuel Greengard | Posted 2011-09-30 Email Print
Governance, risk management and compliance are increasingly woven into all aspects of business, so it’s vital for management to understand the complexities involved in this issue.
A daunting array of regulatory and compliance requirements face businesses these days, as various breakdowns and meltdowns have prompted political leaders and entire industries to introduce a growing tangle of laws, regulations and industry standards.
From Sarbanes-Oxley (SOX) to the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI DSS) to the EU Privacy Directive, governance, risk management and compliance (GRC) solutions have moved into the mainstream.
Today, GRC touches almost every corner of an enterprise, including business operations, security and IT assets. Moreover, new and expanding technologies—including mobility, cloud computing and social media—have made it more difficult than ever to keep data secure and comply with government and industry requirements. “The GRC landscape is continuing to change, and companies must change with it,” observes Rob Dyson, a senior consultant at Accenture.
As systems and organizations become more interconnected and intertwined, it’s vital to understand where data travels, where it’s stored and who has access to it. In addition, sustainability initiatives and other corporate reporting requirements create new wrinkles and challenges. “Organizations must find a way to build an effective governance framework that bridges IT and business operations,” explains Don Ulsch, CEO of consulting firm ZeroPoint Risk Research.
How can an IT department develop an effective technology foundation? What role does it have in helping business leaders formulate policies and guidelines? And what types of systems and tools are necessary to build a robust and flexible GRC framework?
For most organizations, it’s a topic that requires considerable attention and resources. Says Nitin Bhas, research analyst for Juniper Research in the United Kingdom: “Enterprises must be able to provide constant real-time protection for applications, files and data.”
It’s impossible to dispute the power and value of IT. Over the past few decades, it has transformed the business landscape and provided capabilities that would have once been unimaginable. But with all the gain comes a certain amount of pain.
“Technology, by its nature, advances faster than the ability to provide an appropriate governance framework,” Ulsch points out. “Today, businesses find themselves facing enormous challenges in securing data.”
Although many organizations have constructed a GRC framework—with applications and tools designed to monitor, report and provide alerts about compliance-related activities—gaps and potential hazards exist, Ulsch says. Instant messaging, mobile communications, clouds and social media communications ratchet up the challenges.
“Many organizations deal with these systems by writing a policy, procedure or prohibition,” he adds. “Unfortunately, people often violate policies and undermine procedures.”
The upshot? Risk mitigation must focus on a number of key areas: security deployment, privacy, threat and risk analysis, compliance with government regulations and industry requirements, enforcement strategies, internal audits and overall practices management. Building a holistic approach into a GRC framework means focusing on these issues—both internally and with service providers.