Developing effective IT GRC strategies
For IT governance and risk compliance (GRC) strategies to be effective, organisations should be clear in what they are trying to achieve in implementing them.
This is a view shared by MD of SLVA Information Security Kris Budnik at ITWeb's 2014 governance and risk management conference in Bryanston, Johannesburg.
"There first needs to be a clear understanding of what GRC means. Deloitte, for example, defines it as 'a prickly tangle of controls and practices buried inside functional or geographic silos with hundreds of isolated activities', CFO Magazine explains it as an 'academic definition of the word mess' while Risk Management Magazine asked, 'Isn't the GRC acronym invented by consulting and technology firms to help sell services and software?'"
Burdnik took note that, while there may be on-going debates about the term, what is becoming clear is that executives and directors are being held to higher standards and levels of accountability.
"There's also consensus that compliance costs have spiralled amidst the increasing volume and complexity of laws, regulations and rules," said Budnik. "Stakeholders are more active and aggressive, more transparency is demanded and, lastly, the speed and consequence of 'risk events' have dramatically increased."
For their part, Budnik urged organisations to understand that GRC is simply a system of people, processes and technology that enables them to understand and prioritise stakeholder expectations, and set business objectives that are congruent with values and risks.
Added to this, he stated that it also helps businesses operate within legal, contractual, internal, social and ethical boundaries.
"It provides them with relevant, reliable and timely information to appropriate stakeholders, and enable the measurement of the performance and effectiveness of the system. The key question for organisations to address should be 'why it is important to implement?'"
Businesses should identify by name, factors that should drive their GRC implementation, according to Budnik. Their objectives should be clearly stated, even if it's just the laws/regulations, industry standards, common practices or internal requirements laws.
"These objectives go hand in hand with the adherence to applicable laws, regulations, policies, contracts or any other mandated requirements," said Budnik. "All these factors should be key considerations in mapping out and developing effective GRC strategies."
Budnik concluded that organisations should determine all who play a part in the process from IT operations, security and information risk, enterprise resource management to executives.