IT-Business Alignment Takes a Step Forward with GRC
CEOs continue to demand more from IT than ever before, but there continues to be a credibility gap with the performance of the IT group, and the technology it provides and maintains, said Tony Torchia, a Pittsburgh-based KPMG Partner and the firms IT GRC network services leader. At the same time, CIOs are often frustrated by their lack of participation in, and exposure to, the goal-setting of the business. By aligning IT governance with corporate governance in the context of a holistic approach to GRC, executives may begin to close the gap and realize the benefits of convergence.
David Hill, an analyst at the Mesabi Group, explains that GRC is actually a fairly new umbrella concept that can be applied to all levels of governance. Starting at the top, we have corporate governance, under that we have IT governance and under IT governance we have information (or data) governance, said Hill. IT governance, then, becomes but one aspect of a coordinated GRC program. IT governance is usually managed and directed by the CIO. The other areas, such as risk and compliance were typically addressed by other individuals such as a CISO, risk manager and chief compliance officer. Sometimes this led to a disconnection between the various functions.
A holistic view of GRC can allow organizations, said Torchia, to get a handle on disparate and potentially redundant risk and compliance processes and programs across the enterprise. When there are many risk initiatives with no clear integrated goal or objective programs, the likely result is a sluggish organization. Hes talking about the tendency of companies to react to new regulations and business changes by building ad hoc governance processes, increasing their risk management practices and designing incremental compliance activities. As IT is usually the enabler for all of these programs, redundancies swell, leading to a costly and complex web of often uncoordinated structures, policies and practices.
OK. So what is GRC exactly? French Caldwell, a Gartner analyst, breaks it down the various elements as follows:
- Governance - The process by which policy is set and decision making is executed.
- Risk Management - The process for ensuring that important business processes and behaviors remain within the tolerances associated with those policies and decisions, going beyond which creates an unacceptable potential for loss.
- Compliance - The process of adherence to policies and decisions. Policies can be derived from internal directives, procedures and requirements, or external laws, regulations, standards and agreements.
In a global KPMG study of executives, the top three reasons why they implemented a GRC program were to simplify overall business complexity (44 percent), reduce organizational risk exposure (37 percent) and improve corporate performance (32 percent). The reasons for the growth in acceptance of GRC are not hard to fathom. Vivian Tero, program manager for GRC Infrastructure at research house IDC, points out that IT governance tends to fall short of its goals when it is too project based and too narrowly focused on new software development, deployment, testing and implementation. Thus typical governance efforts in IT tend to be too tactical. GRC is an ongoing practice for managing risk and compliance, said Tero. The governance aspect deals with measuring and tracking accountability in the ongoing IT risk and IT compliance activities.
She advised CIOs and IT staff to move away from subjective measures and onto empirical measures to quantify risk. This includes a definition of corporate risk baseline (or appetite for risks) so that all IT activities, remediation decisions and prioritizes are based off quantified empirical measures. It also requires greater transparency and understanding of dependencies across IT risks, compliance requirements, IT assets and the technical processes.
While surveys indicate a perceived need, the reality is these functions continue to be done largely in isolation. Chris McClean, an analyst with Forrester, said he is not seeing a lot of convergence between IT governance and GRC. As a result, the application of GRC towards IT initiatives often doesnt include the governance aspects of the CIOs role. Where he sees the greatest potential for convergence, then is in the link between risk and performance management.
Although uncommon, some companies are defining IT risks as they relate to the achievement of IT objectives" (e.g., the risks that might impact system up time, data confidentiality, etc.), said McClean. This allows IT departments to make more balanced decisions that help to improve support for the business without exposing it to unacceptable risks.
Any planned move toward convergence will require a lot of organizations to change the way they approach governance, risk management, and IT compliance. Anyone embarking upon this path should foster more collaboration between risk, compliance, audit, and IT disciplines, and better understand how these groups should support each other. According to McClean, the costs and processes required to make these changes will be difficult, but they should lead to better understanding of how to improve ITs support for the business.
But Scott Gracyalny, managing director & global leader of Risk Technology Services for risk consultancy Protiviti, Inc., believes the time is right for GRC to come of age. Historically, IT governance has been in the realm of the CIO and has been focused on complying with internal policies and procedures. The GRC effort, on the other hand, is largely focused on the C―with compliance dominating. The overlap and impact is often focused on a sample of applications deemed critical for Sarbanes Oxley compliance. Now, after numerous years of Sarbanes Oxley, the overall understanding of the IT landscape and general computing controls has raised the knowledge level of key groups.By working together more closely than in the past, compliance, audit and IT professionals have built relationships and developed a sense for the dependencies and impact of IT on the business, said Gracyalny. As these groups have begun to collaborate, create a shared vision and integrate their efforts and budgets a natural tendency towards convergence has emerged."
One benefit of convergence is that the GRC groups can share best practices, leadership and their time and talent with the IT organization. This may result in improved access to management (board, audit committee) and a more concise framing of IT issues and their impact on the business. By the same token, the business can gain readier access to IT information, which can help the business scope their GRC programs, avoid duplicate efforts and target areas of risk that may not be part of the IT governance plan. This results in a more holistic coverage of the overall IT risk to the organization. It also positions the business to have better dialogue with IT on the risk of non-compliance and related impact to the business.
The business will also be the beneficiary of ITs approach, which likely includes automation, standardization, and the turning of large volumes of data into meaningful management information, said Gracyalny.
Technology serves as the backbone of an effective GRC architecture. It provides timely access to consistent, accurate and reliable information as well as the capability for appropriate intelligent reporting to facilitate executive decision-making. And firms like Protiviti and BTM Corporation are now offering software to assist in uniting the various aspects of GRC operations.
GRC is a combination of management in multiple dimensions and at the same time process in terms of tying things together to cover all three functional areas, said Gunnar Erickson, a practice director at BTM. The realization is to treat GRC not just as areas for the IT function, but more as a strategic concept for executives.
Risk, it seems, is playing a large part in turning the minds of C-level executives towards umbrella concepts such as GRC. The risk profile changes as new technologies, processes and partners are introduced. For example, when a company starts using social networking applications for marketing or when it starts using desktop virtualization or Cloud services, it introduces a new risk vector. Similarly, when regulations change or are introduced, risk has to be reevaluated.
Every time a company introduces a process, application, product or a partner, the interaction creates a ton of data, said Tero. This data must be evaluated for its GRC profile and protocols have to be adapted accordingly.
And this factor of risk has been brought more sharply into focus in recent times ... The financial crisis we are working through currently proves beyond a shadow of doubt that risk management is vital as part of strategy execution, said Erickson.