Governance, risk and compliance (GRC) are three pillars that work together for the purpose of assuring, making decisions and implementing structures within an organisation.
This is according to Bessy Mahopo, head of IT risk at WesBank. She addressed delegates at the Governance, Risk and Compliance 2016 summit hosted by ITWeb and its partners earlier this week in Hyde Park, Johannesburg.
Mahopo said governance and risk have a relationship; if companies don't practise one, the other will suffer.
"IT compliance is one of the key enablers of processes we need in order to make a decision within an organisation.
"Although many people have their own interpretation of the purpose of GRC, the ultimate goal is operational efficiency because many things can go wrong within an organisation."
She also elaborated on the role and objectives of an IT GRC specialist, saying oftentimes when an IT GRC specialist walks into a building they are asked, "The auditors are here; why are you here?"
"The role of an IT GRC specialist is to ensure that by the time the auditors come to audit, you've got the house in order.
"People need to understand that GRC is not about trying to satisfy an audit requirement or merely to check compliance, it's also about adding value."
Mahopo said one way in which IT GRC specialists can add value is by understanding what the business is going through and knowing the processes and structure.
She said this enables a company to benefit once a GRC strategy and solution are devised.
"It's difficult for people to understand the value that comes with GRC because it's a role that doesn't necessarily bring direct profit into a business. As a result, many companies don't comply with GRC policies even when they are aware of them.
"Bridging that gap by ensuring companies implement these policies becomes part of the role of ICT GRC specialists."
Team effort
Mahopo explained there are three elements that work together: processes, people and technology. The governance not only talks to decision-making but the processes used to execute those decisions.
"Decision-making can be in the form of forums or self-controls, such as company policies, standards and procedures. It's a combination of these, not only one.
"As far as compliance is concerned, we are seeing lots of policies and regulations entering the IT arena because there is a lot of interest in the way IT processes information or makes decisions."
She said people often ask her why they need IT GRC.
"Many things can go wrong in the IT operations of a business and some of these things can be avoided when a company has a GRC agenda they can address or prevent these things.
"This also helps with maintaining a robust consistency reporting process within a business. This is another way of ensuring the processes are followed by employees without necessarily policing them."
She added ultimately this will help improve operational efficiency while eliminating the duplication of processes which is common in organisations.
"This duplication is caused by lack of fundamental understanding about GRC. Regulations come as an applicable law and we cannot avoid them; however, we can better strategise how we respond to them."
Mahopo noted the IT policy governance framework consists of standards, guidelines and step-by-step procedures which companies should follow in compliance with policies.
However, she said reports have found employees don't comply with these recommendations, and it becomes difficult to measure and review the standard operating systems procedure of a business against the IT GRC policy.
"Companies are sometimes quick to buy IT tools under the impression that these will be a silver bullet and perhaps they can be of assistance, but this doesn't help if there are no processes on how such tools can be used effectively."
She noted GRC specialists have a huge responsibility in demonstrating value of policy compliance. This means they have to ensure they are ahead of the game in order to offer solid advice and support.
"Demonstrating value out of the intangible can be a tough thing to achieve."
However, she added one effective method of demonstrating value is through the use of key performance indicators (KPIs).
"KPIs are a crucial aspect of GRC because they go hand-in-hand with operational efficiency," she concluded.
Share