
Methodology and expected outcomes can determine the success or failure of governance, risk and compliance (GRC) solutions in organisations.
So says Philip Tillman, MD at CQS Solutions, who adds: "This means having a clear understanding of what functionality and flexibility an organisation requires, and what reports need to be generated by the system."
According to Tillman, another key success factor is obtaining buy-in from IT management, as is a solid implementation strategy.
"Getting buy-in from IT management will set the tone for discussions about database platforms, user access and system maintenance," Tillman says. He believes that ensuring the leadership of an organisation buys into the need for GRC will improve any existing activities.
Commenting on the success of South African organisations' ability to effectively implement GRC solutions, Tillman says: "South Africa finished number one for strength of auditing and reporting standards in the efficacy of corporate boards and regulation of securities exchanges in the Global Competitiveness Report 2012 - 2013, published by the World Economic Forum. Since we have a mature and effective governance environment, in my experience, the majority of GRC implementations started are completed with great success."
When asked his opinion on whether South African organisations prefer to use in-house GRC solutions or opt for outsourcing, Tillman says: "Some organisations with mature IT departments do attempt to build in-house solutions, and do so successfully. With that said, true GRC solutions combine multiple assurance discipline requirements into a single solution. This means it is a necessity to have a deep understanding of methodology, development principles and reporting requirements. As a result, even those organisations that develop their GRC solutions in-house often migrate to a mainstream solution."
According to Tillman, there is a definite trend among local organisations when it comes to choosing solutions that integrate into a broader IT strategy, as opposed to standalone solutions. He also notes that organisations want a solution that can expand into areas such as data analytics or incident trending, and one that is more focused on risk quantification and aggregation.
"True GRC is achieved when technology meets methodology to change business psychology. Technology is only the enabler, as an organisation's methodology needs to be clearly defined in order to ensure its GRC solution will make an impact on its day-to-day business behaviour," Tillman concludes.
On this note, CQS, in partnership with ITWeb, is conducting an online GRC survey. Organisations are required by law to govern their databases and implement comprehensive GRC strategies. This survey will help determine and understand the drivers of GRC within organisations, what technological challenges they face, as well as to what extent GRC is embedded in organisations in SA.
To complete the survey, and stand a chance to win a Canon A810 Power Bundle, click here.
Share