Framing a StrategyBy Samuel Greengard | Posted 2009-08-04 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce REGISTER >
In today’s data-centric world, organizations are striving to do a better job of recognizing and containing risks.
Framing a Strategy
Utter the words “enterprise risk management” to any corporate executive, and you’re likely to wind up with an earful about protecting assets and steering clear of trouble. High-profile examples of breakdowns abound, and there is a growing focus on accounting and security practices. A major reason for the change: Government entities have increasingly introduced regulations and laws stipulating privacy standards, accounting rules, environmental and other requirements in response to the excesses of the past.
According to Deloitte Financial Advisory Services, 24.3 percent of survey respondents in 2009 indicated that they view the risk of a government investigation as being higher today than a year ago, yet only 20.8 percent of these executives say their organizations are “very ready” to handle a government or regulatory investigation. Worse: A 2008 study conducted by Aon Risk Services found that among 320 corporations in 29 countries, a shocking 42 percent of respondents identified risk only through intuition.
That’s not good enough in an era of accountability and transparency. The upshot? Management must play an active role in framing a strategy, says Burton Group’s Bugajski: “There must be an overall framework in place to manage risk and oversee compliance for both internal and external factors.” This task is made even more difficult by shared data, unstructured data, and massive amounts of stored and archived data. “In many cases, companies don’t even know what data they have and where it resides,” he adds.
A starting point for addressing the challenge is to recognize the roles of both the business and IT sides of the enterprise. Business leaders must build the conceptual framework for identifying data that’s sensitive or private, knowing where it should reside and how it will be used. The IT department, on the other hand, serves as the custodian of the data and must develop systems to monitor, manage and protect the information. Both groups must work closely together within a formalized structure.
Unfortunately, creating rules and privileges—and determining where data will be stored—frequently emerges as a point of conflict within an enterprise. “Oftentimes,” Bugajski says, “the business side will say, ‘Well, we don’t know where the data is, and we can’t really do anything about it.’ There’s an element of truth in that because the data may be stored in the cloud somewhere. But that doesn’t eliminate the responsibility for managing the data.”
At that point, it’s up to IT to identify ways to locate all the data on the network and beyond—while also identifying software and tools to protect it. Lantego’s Landoll contends that identifying a single data owner is a key factor in achieving success in the GRC arena. “Too often, it’s not clear who has ownership of data,” he says. “Users throughout an organization wind up making decisions that may or may not fit the company’s best interests.”
Automation is also essential. GRC products target access control and rights, firewalls, encryption, digital rights management, endpoint security and reporting capabilities. Some systems monitor compliance and compare IT configuration changes with security policies—including changes made by individual employees—so that it’s possible to flag violations. A variety of vendors offer GRC solutions, including BlackLine Systems, CA, IBM, Informatica, Lumigent, Microsoft, Novell, Oracle and SAP.
Of course, effective risk management also involves vast storage arrays, mobile devices and productivity tools such as the USB drives that employees carry with them. “Gaining visibility is a huge task, and indexing and e-discovery are crucial,” says Terri McClure, an analyst for Enterprise Strategy Group.