Keeping a Lid on Risk

In a world filled with risks, threats and potential compliance problems, there’s no way to build bulletproof business processes and ironclad IT systems. But, as a growing number of executives recognize, risky business isn’t a viable alternative.

“Industry is catching up to the thinking that it’s essential to manage assets, resources and risks in a focused and structured manner,” says Doug Landoll, chief strategist for the IT security consulting firm Lantego and author of The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments. “The need for systems to manage governance, compliance and regulatory issues is enormous.”

Clearly, managing a long list of internal issues and external requirements is no simple task. More than a few companies have found themselves reeling as a result of internal policies gone astray, or an inability to adhere to industry and government regulations. In today’s data-centric world, risk management is no longer an abstract concept; it’s an essential foundation for conducting business.

Organizations are searching for ways to take a more strategic tack, consolidate initiatives, and do a better job of recognizing and categorizing risk. Unfortunately, the situation isn’t getting any simpler.

Although high-profile regulatory and compliance requirements such as the Sarbanes-Oxley Act (SOX) and the Health Insurance Portability and Accountability Act (HIPAA) grab the headlines, a spate of global initiatives conspire to create an almost mind-numbing situation. According to the Washington, D.C.-based Competitive Enterprise Institute, U.S. federal agencies alone issued 3,830 rules in 2008 at a total cost of $1.17 trillion. To be sure, there are complex security issues to cope with, internal business processes to examine and potentially high costs associated with IT systems, including storage devices and software to manage them.

As a result, the concept of enterprise risk management is changing, says Joseph Bugajski, senior analyst at Burton Group. Organizations are looking to consolidate efforts and improve the visibility of risk throughout the enterprise. An effective governance, risk and compliance (GRC) strategy can help centralize and integrate policies, processes, procedures and controls.

“Although the term GRC is gaining traction throughout the business world, these initiatives actually represent different but similar challenges that relate to risk assessment and control of data,” Bugajski explains.

How can an enterprise navigate the GRC world? What can it do to minimize risk and maximize internal security? And how can it put business processes and IT systems to work in order to stay out of trouble?

What’s clear is that GRC can lead an organization through a confusing labyrinth of concepts, tools, business processes and IT systems. “What makes enterprise risk management so challenging,” says Karl Kispert, director of the Corporate Governance Advisory Practice at Huron Consulting Group, “is that many organizations have traditionally operated silos and have used fragmented solutions.”