Home > Risk > SC Magazine eBook on GRC – good advice in the midst of confusion

SC Magazine eBook on GRC – good advice in the midst of confusion

SC Magazine has published an eBook on GRC that is worth a review and contains some useful information around the Information Security aspect of GRC.

However, it is unclear (as is often the case when you talk about GRC) whether this piece will clarify the topic or make it even more confusing to readers.

First, the good:

  • With quotes from my friend Michael Rasmussen and E&Y, it emphasizes the need to avoid silos in governance, risk management, and compliance processes.
  • There is a list of 8 best practices for information security and privacy management by the CEO of Global Cyber Risk. Recommendations that may spark debate include separation of the chief information security officer from the chief privacy officer, with neither reporting to the CIO.
  • It stresses that risk and information security should be owned by operating management, with advice from risk and security officers.

Now, the not so good:

  • The piece does not make it clear whether GRC is just about IT issues or about the business as a whole (it should be the latter). While it mentions a lack of clarity about the meaning of GRC, it does little to address it and much to make it worse.
  • It supports the use of an enterprise GRC solution (or set of solutions) to ensure integration across risk and compliance, while ignoring the fact that this will often result  in silos in the IT infrastructure. I continue to be amazed that so few people understand the need for risk management and other solutions to be integrated with enterprise applications (such as the financial systems) so that risk and compliance can be embedded into business process and monitoring can be automated. The value of integrating risk management and audit management is far less than integrating risk management with ERP systems. In fact, acquiring an integrated GRC solution set that is based on different technology from other enterprise applications can result in inefficiencies, separation of risk/compliance from business processes, and limitations of the overall IT infrastructure.

Much of the eBook is on the strength and weaknesses of enterprise GRC systems (which are a basket of related solutions for risk management, compliance management, policy management, and audit management and sometimes include one or more of user access control, continuous auditing/monitoring, identity management, and more – all depending on the vendor). Chris McLean of Forrester Research is an analyst in the GRC space. He points out that many organizations may have to go with point solutions to address specific compliance requirements, rather than a GRC solution. My view is that every organization should assess its needs, including the value technology would bring in:

  • Risk management across the enterprise, including risk monitoring
  • Compliance management
  • Information security and privacy
  • Performance management
  • Standards, policies, and procedures management
  • Support for governance activities, including the board
  • Audit management
  • Integration to enable a common and consistent view of risk, compliance, and performance – embedding risk and compliance in everyday decision-making and business processes
  • IT infrastructure optimization, including cost, technical support capabilities, its ability to support growth and agility, and performance
  • and more

Rather than presuming that your needs will be addressed by a GRC solution, get what is best for you and your business needs in the long term. Recognize that diversity in technology is NOT a good thing. It carries cost, limits business agility, and increases risk.

  1. July 30, 2012 at 12:31 AM

    Thanks for this Norman. A useful review of an interesting area. I would counter though that the approach outlined is one that is very ‘large software provider’ centric. I am not convinced that a behemoth of a large IT ERP software platform fits in all cases. A perfectly reasonable response is to go for a ‘best of breed’ IT approach. The costs of creating a data warehouse and glueing the IT systems together can be less than the premium charged by the large ERP software providers and the costs of having a one size fits all system. Whilst I appreciate you work for SAP and will obviously consider the value of their offering, for all but the largest organisations these solutions can sometimes be a sledgehammer to crack a nut. I would suggest that IT solutions can automate and join up risk management and compliance, but they can also serve to remove the focus and engagement of people that glueing different systems together through man-made processes brings.

    I would, therefore, take a more contingent and organisation-focused approach which may prescribe a single IT platform or best of breed.

  2. Norman Marks
    July 30, 2012 at 1:04 AM

    Anthony, thank you for the comment. I am not making this argument because I work for SAP. After all, they also have a GRC solution set and are ranked by Gartner and Forrester highly in that space.

    I am making this argument based on my years of IT management as well as internal audit and risk management. I am a strong believer that IT has to be an efficient provider of services to the business, and in my experience that is significantly hampered when you take a “best of breed” approach to software. While the individual parts may be perfect, the whole is often a complex mess with interfaces that are a pain to maintain. I’ve been there, done that, and don’t want to do it again.

    I have yet to meet an effective CIO that wasn’t very concerned with the cost of operations, the complexity of the infrastructure, and the need for agility in the face of a rapidly moving business environment.

    I will agree that software cost is an issue, and it is hard if not impossible to persuade management to purchase software from your ERP vendor at double the cost from a niche vendor.

    The issue is that people are not considering the need to integrate with enterprise applications, the risk of infrastructure complexity, and the cost and risk incurred when you have many technologies to patch together, when selecting solutions for their GRC processes.

    If the decision to acquire from a niche GRC vendor is made considering all these factors, then I am fine. The problem is that most don’t.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: