The evidence is compelling: IT governance, risk and compliance (GRC) is good for business. If that doesn't seem to be the case at your company, maybe you're not doing it right.
A realistic and well-executed IT GRC program pays big dividends in reduced costs, reduced risk, consistent compliance, increased business and even better morale, according to a panel which addressed the subject at the Symantec Vision 2008 conference in Las Vegas this week.
The panel cited the striking results of a recently released annual report of the IT Policy Compliance Group, from research conducted with more than 2,600 organizations around the world. Companies with the most mature IT GRC practices, performed on average, 13% to 17% higher in customer satisfaction, customer retention, revenue, profit and reduced expenses, than those with the least mature practices.
"The data showed practices that were responsible for better outcomes," said James Hurley, managing director of the IT Policy Compliance Group (ITPCG), and principal research manager at Symantec. "Those companies had to have very different procedures and practices in place that connected those linkages between senior management and operations in order to achieve those stellar outcomes." said Hurley.
The panel identified bridging that gap between senior management's business goals and IT operations as one of the keys to a successful IT GRC program, especially in complex global business environments with disparate regulatory requirements and a wide range of costs in different parts of the world.
"The folks in IT know how things really operate," said Hurley, "but unless they can share language with senior management to translate what those risks mean to a business, and unless IT knows what the common objectives are, it's really difficult to connect not only at local level, but internationally."
The panel included other ITPCG member Rocco Grillo, managing director of Protiviti and Ron Hale, director of information security practices at ISACA. Other panelists were Jennifer Lesser, manager of KPMG's IT advisory for information protection services; Scott Crawford, research director for security and risk management at Enterprise Management Associates (EMA); and Don Young, director of IT services at American Systems, a Symantec customer of their Control Compliance Suite. (Symantec announced the latest version of the suite this week in conjunction with the conference.)
"It starts at top," said Grillo, "a combination of both organizations building common languages, a partnership between business and IT. Many companies have metrics around everything -- the key is to pull the right metrics for reporting that are relevant to the business and that make sense from a business perspective to help you meet compliance objectives."
Mature IT GRC programs make intelligent use of standard frameworks, such as COBIT or ISO 27002, and cut across business silos to build common processes. The panel found that the particular framework was less important than applying it across the organization, and perhaps most importantly, adapting it to their particular situations.
"A framework is a framework is a framework," said KPMG's Lesser. "It's taking the key portions and figuring out what are most important to your organization; what are the outside threats, risks and vulnerabilities that you need to consider, and what is going to provide the most value to your organization; defining a framework based on these industry standards that really fits your specific needs."
Lesser said that in addition to the tangible gains, the ability to apply the same work to multiple projects, business initiatives and compliance audits has a marked effect on the morale of employees who work more efficiently.
Implementing automation tools, the panel agreed, was the last step in building IT GRC in an organization.
"The poor approach is to say we're going to do IT GRC, and there are some automated tools available," said ISACA's Hale, "and let's implement these without really understanding what GRC is, what their objectives are, who's going to use the information, and how does it support their decision making."
A lot of times people think about IT GRC and think "tools, "said Lesser. "A tool is a very small portion of the overall IT GRC program. People ask how long is it going to take and how much is it going to cost?"
"There's no finish line with IT GRC; it's cyclical because the risks, and the threats and the landscape outside is constantly going to be changing."