Subscribe

GRC - burden or opportunity?

Lance Harris
By Lance Harris, freelancer
Johannesburg, 25 Jul 2011

A shift towards a more heavily regulated business environment began in the early 2000s, following accounting scandals at American companies such as Enron and WorldCom.

Since then, new regulations and laws have multiplied every year, many of them demanding that companies introduce new IT systems or rethink the way they manage their technology and data.

Unsurprisingly, governance, risk and compliance (GRC) consistently emerge among the most important issues for IT departments worldwide in numerous surveys about their priorities for the next year or two.

For example, a recent survey by global industry association ISACA found regulatory compliance topped the list of business priorities for IT departments for 2011 and 2012.

A swarm of new regulations, laws and frameworks has also reached the South African market in recent years. These include the Companies Act, the Electronic Communications and Transactions Act, Protection of Personal Information Bill and the Consumer Protection Act. The financial services industry has been particularly hard hit by laws such as the National Credit Act and frameworks such as Basel II.

Yet, the consensus is that South African companies - outside of heavily regulated industries such as telecoms, pharmaceuticals and financial services - are not keeping up with the latest international best practices in GRC and especially in IT governance.

“South Africa's financial services industry leads the local market and follows international trends,” says Samresh Ramjith, CTO of Security Solutions at Dimension Data. “The rest of the market is lagging. Many organisations don't have a grip on the intrinsic value of their information and IT systems.”

The picture is changing. Local regulatory watchdogs such as the Financial Services Board and industry ombuds are bearing their teeth and laws and regulations are becoming tighter in many industries that were once lightly regulated, says Tim Stanley, regional sales director for Africa at Global 360.

A King with no power

One watershed moment in the local IT governance landscape is the release of the latest King Report on Corporate Governance in SA (King III). The document positions IT governance as a board-level issue and a critical part of any organisation's overall corporate governance structure.

King III recognises that IT is built right into the strategy of the business and should be regarded as part of its base of strategic assets. This marks a break from the cursory treatment of IT in earlier versions of the King Report.

Companies could use GRC as an opportunity to make their systems lean and mean.

Steve Webster, The Webcom Group

Under King III's guidelines, the board of directors is responsible for IT governance and must ensure that an IT governance framework is established. IT governance in King III isn't just about risk management issues such as business continuity and information security. It's also about measuring and managing IT expenditure to benchmark the value it delivers.

Although King III is driving awareness of IT governance issues, businesses are proving slow to adopt its recommendations. The reason for this is that King III is an option, not a law, says Ramjith.

“King III has limited power from a GRC management perspective unless it becomes law,” agrees Alan Rehbock, sales and marketing director of Magix Security. “We need King III to become statute to really lift the level of local corporate governance.”

New laws with stiff penalties for non-compliance are more likely to drive changes in the way that South African companies manage their information and their IT systems. The Consumer Protection Act, which came into effect on 1 April, is already prompting some companies to rethink the ways they handle their marketing databases.

The Protection of Personal Information Bill (POPI), which is due to be enacted later this year, could force companies to radically rethink the ways they handle customer and business partner data. The Bill looks to beef up South Africans' right to privacy by introducing strict measures to regulate the collection, storage and distribution of personal information.

Andrew Whittaker, senior security, identity and access management consultant at Ubusha, says POPI will have teeth because companies will be answerable to an Information Protection Regulator and will face stiff penalties for breaches of the Act. Companies will also be expected to regulate themselves through the internal appointment of information protection officers.

Clean out, modernise

GRC is still a grudge purchase for most businesses. But given that legal and regulatory compliance is an inescapable fact of life, companies should use it as an opportunity to strengthen their businesses and tidy up their IT environments, say GRC experts.

“It's not only an opportunity to improve business,” says Rehbock. “It's also an investment in the business, the company's brand and in confidence and trust in the business.”

Sound governance can help companies become more competitive, provided it becomes part of everyday life for their employees, says Anja Hattingh, vice-president for finance and controlling at T-Systems SA, who is overseeing a governance and compliance project at her company.

“If you do it right, it can give people a reason to work for you rather than for another company,” she says. “It's also about profitability and sustainability. It gives your customers the assurance that you will still be around in two or three years' time. GRC helps to make an organisation to be a good company to invest in and do business with.”

Organisations should align it with the purpose of the organisation, which is generally to make money, says Ian Huntly, CEO and MD of Rifle-Shot Performance Holdings. GRC helps ensure that there are no surprises for the board and investors. It gives managers and the board insight into whether or not they are meeting their strategic goals.

“Many people have started out by asking, 'How can we pass next week's exam?' That's one approach. But the right way to go about it is from a strategic level,” adds Huntly.

“The Y2K transition turned out to be a fantastic cleaning-out process,” says Steve Webster, acting CEO at The Webcom Group. “Companies got rid of systems they didn't need and modernised others. In the same way, companies could use GRC as an opportunity to make their systems lean and mean.”

Two-fold impact

GRC impacts IT departments in two major ways: by demanding the introduction of new systems to meet the reporting requirements of laws, regulations and standards such as Basel II, Sarbanes-Oxley and King III, and by demanding that companies put the IT frameworks and tools in place to manage

IT-related business risks such as information security, data privacy and business continuity.

None of these good practices were intended to make you a slave.

Johann Botha, Marval SA

Companies shouldn't put point solutions in place when new regulatory needs arise, but ensure they have flexible platforms that can cater for future requirements, says Connie Grobler, technical specialist for identity and security management at Novell SA.

“Businesses are increasingly aware that once you have the basics in place, complying with the next regulation isn't that hard. Not every requirement needs new systems,” adds Grobler.

Business intelligence and enterprise management software vendors sell a number of solutions aimed at GRC requirements. One important change in the market is that companies need to be able to report on and control aspects of their business that go beyond the financial.

Today's governance requirements mean companies need visibility in their business from shop floor right through to the head-office finance system, says Huntly.

Reporting requirements increasingly encompass operations as well as finance. GRC is now often combined with content management, quality and corporate performance management tools and disciplines to support requirements such as triple bottom-line reporting.

Solutions such as business process management provide real-time visibility into business processes so that organisations can see when employees are breaching policies and stepping outside the business process, says Stanley.

Identity governance is another hot button, thanks to POPI. Companies need to control access to customer data and be able to identify all people, including contractors that have access to this information, says Whittaker.

This task is made much simpler by systems that automate the processes of provisioning and revoking access to systems, as well as auditing who has access to the systems. Some local companies affected by the US' Sarbanes-Oxley have already been forced to put such solutions in place.

“We used to see companies look to implement identity and access management to address administrative burdens or save costs,” says Whittaker. “But now they are looking at it to manage risks and address compliance challenges.”

How IT departments are governed is rapidly becoming as important in an increasingly connected world as how they support broader corporate governance and regulatory objectives.

IT is now central in the operation of business and information, says Nick Wonfor, country manager at CommVault. IT departments should support the overall risk management needs of an organisation by establishing governance practices and policies that address information security, information privacy and general information management, he adds.

The CIO's role in GRC is to bridge the gap between the business' GRC requirements and the ICT solutions that will fulfill them, says Wonfor.

“We are all so dependent on our IT systems that if something happens to them, we are in trouble,” says Winnie Lipner, channel manager for StorVault Africa.

“That means IT governance must be measurable with proper processes and frameworks in place.”

Where to start

G, R & C united only in name

Governance, risk and compliance are all well-established business disciplines in their own right, but it is only recently that companies have started to see them as an integrated business function called GRC. Efforts to unite the implementation and measurement of the three functions under one banner are still in their infancy.
A survey conducted by Ponemon in the US on behalf of EMC found that only 20% of organisations have defined an enterprise GRC (eGRC) strategy for the entire enterprise. The research also found that there is little collaboration between the IT, operations, finance and legal departments affected by GRC issues.
Only 28% of respondents reported that their organisations enjoy frequent collaboration or co-operation among these eGRC domains. The Ponemon report found that governance activities are still mostly located in IT, while risk management activities are usually managed within the associated domain.
Compliance activities usually reside in their own corporate compliance function while privacy and data protection management is most likely to be located in the legal department. Organisations taking part in the survey identified managing privacy regulations as the biggest factor driving them towards integrated GRC programmes that span their IT, legal, operations and finance departments.

Companies have a daunting selection of best-practice standards and frameworks they can use to guide their IT governance programmes, including the IT Infrastructure Library, the ISO-20000 IT service management standard, the ISO 38500 IT governance standard and the Cobit IT management and governance framework.

Increasingly, vendors and IT managers alike are thinking about these frameworks and standards as guidelines to good practice rather than as a rigid set of rules that need to be followed to the letter.

“None of these good practices were intended to make you a slave. They were intended to liberate your thinking,” says Johann Botha, director at Marval SA. “Compliance with any standard or framework for the sake of compliance is a bad idea.”

IT governance should be about facilitating the uninterrupted flow of the right information to the right people at the right time, says Botha. It should be shaped by the needs and context of the business and it should help the organisation meet its objectives every month or year. It should not be a 'tick-box exercise' simply to meet the demands of auditors, regulators or customers.

An organisation should start off by doing an audit of the IT environment and identify which gaps need to plugged to comply with the relevant regulations and frameworks, says John McLoughlin, MD at J2 Software. These gaps should be addressed through corporate policies.

McLoughlin stresses the importance of educating end-users about the value that these policies bring to the business. If people understand how information loss could harm the company, they will be willing to comply with the systems and processes put in place to prevent data leaks, says McLoughlin.

T-Systems SA has kicked off a large-scale GRC project that seeks to align it with its German parent company's standards as well as with local laws and regulations such as the King III framework and the New Companies Act. It has recognised that it will need trust and awareness among its employees to make GRC work, says Hattingh.

For that reason, T-Systems SA is supporting its compliance project with a massive internal communications drive.

“We want to make it as exciting as possible for everyone involved,” Hattingh adds.

As far as possible, companies should avoid putting processes and policies in place that frustrate employees who are trying to their jobs, says McLoughlin. People will simply sidestep any processes that limit their ability to work efficiently, he adds.

“It's better to have fewer controls that are easy to manage that are applicable to the environment and add value than to over-regulate,” Botha agrees.

By automating the processes that enable compliance where possible, companies can reduce the chance of human error creeping in and take some of the pain out of GRC, says Grobler.

Share