Taking a Broad ApproachBy Samuel Greengard | Posted 2011-09-30 Email Print
Governance, risk management and compliance are increasingly woven into all aspects of business, so it’s vital for management to understand the complexities involved in this issue.
Taking a Broad Approach
One organization that’s taking a broad approach to GRC is the Northern Ireland Civil Service (NICS). The government organization has more than 25,000 civil servants delivering key services, as well as economic and social policy data, to government ministers and citizens throughout the country. Protecting sensitive data and records while adhering to regulatory requirements, including the U.K.’s Data Protection and Freedom of Information acts, is vital, says Mike Beare, project manager in the Department of Finance and Personnel.
NICS data resides in a tangle of documents and systems that involve 11 government departments and more than 250 sites. Using Hewlett-Packard TRIM records management software, NICS has built a single virtual data repository known as Records NI (Northern Ireland).
The system contains both structured and unstructured data—including more than 9 million documents and information about email accounts, network devices and hard disks. It allows the agency to control who may access information, and also tracks documents and how they’re used and shared.
What’s more, the Records NI system makes it easier to pull up needed information—whether it has originated from a journalist submitting a Freedom of Information Act request or a government official asking for legislative records. Beare says that the system has helped NICS achieve a much higher level of compliance while improving overall workflows.
A Holistic Approach
Accenture’s Dyson says that, ultimately, effective GRC revolves around well-defined processes, the right tools and technologies, and ensuring that employees and partners are trustworthy and educated about the risks inherent in today’s business environment. “GRC should be thought of as a way to bring information together from a variety of different sources,” he says. “The objective is to create a dashboard with all the information needed for GRC management.”
A holistic approach to GRC is critical, ZeroPoint’s Ulsch adds. Businesses must undergo a comprehensive audit of systems and processes to build a strategy and solution that spans the business and IT sides of the enterprise. In some cases, he says, it’s helpful to unleash security experts or hire white-knight hackers who attempt to break into systems, steal data and identify vulnerabilities.
Ulsch believes that organizations usually benefit by wresting control of GRC away from the executive who directs security and placing it in the domain of an audit and risk committee. In a similar fashion, a chief risk officer who reports to the board or a general council rather than to the CEO creates much-needed independence, he adds.
In the end, compliance is about managing risk in the best possible way. “Often overlooked is the fact that you can be in total compliance with a regulation or requirement but still face a related problem that can undermine or destroy a business,” Ulsch explains. “It’s important to look beyond specific tools and create an entire GRC framework that addresses all types of systems, processes and data. Successful organizations think of the ‘g’ and the ‘c’ as lower-case letters and the ‘R” as a capital letter. Risk is at the center of everything.” "