To many organisations, compliance to legislative and regulatory standards can often be regarded as a cost burden, rather than a business benefit.
However, an effective enterprise GRC platform should tick a number of boxes. Not only are these solutions necessary to identify, track and analyse enterprise and technology risks, but they are also essential if an organisation is to effectively monitor and manage corporate and IT compliance initiatives.
In failing to keep a watchful eye over these processes, businesses simply cannot expect to stay up-to-date and aligned with global laws and industry standards. Likewise, ensuring employees adhere to company policies is much harder without a comprehensive view of the overall company strategy and regulations.
While there has historically been a good balance of pressure for large organisations operating in heavily regulated industries to create a consolidated platform for their company–wide GRC stance, this has not always been the case across all sectors. A more common scenario that businesses find themselves in involves GRC initiatives springing out of individual business units’ needs, as opposed to an over-arching strategy.
Many siloed applications in this market primarily fall into a select few categories, such as corporate governance and compliance management, audit management, enterprise risk management and business resiliency. However, Vivek Shivananda, CEO, Rsam, believes that it is impossible to get a complete view into an enterprise’s overall risk by taking this “patchwork approach.”
Instead, enterprises should be on the lookout for an integrated reference architecture that ties all of these GRC use-cases together. “This way, risk is normalised across the enterprise, and the business has access to a collection of actionable data,” he says. “The key is to select a platform that offers the flexibility to deploy GRC use-cases in any order, yet still be able to connect to them in the background.”
In this data-driven world that we now find ourselves in, it is widely recognised that maintaining the ability to not only collect, but protect, this data is something that can keep CIOs awake at night. The protection of this information can only be assisted by an effective GRC solution that hammers an organisation’s IT security protocols into its entire employee base, while enabling those concerned with the ability to oversee and manage the adherence to these mandates in a contained fashion.
Gartner’s definition states, “GRC is neither a project nor a technology, but a corporate objective for improving governance through more effective compliance and a better understanding of the impact of risk on business performance.” This focus on making GRC a “corporate objective” depicts the manner in which CIOs should go about encouraging executives to buy-in to establishing an effective framework, and demonstrates that it is not simply a matter for the IT department.
While the return on investment in this area may not be plain for all to see, the major risk involved in not complying with certain mandates, or the thought of being hit by a catastrophic data loss which would massively impede customer’s trust, is surely enough leverage for expecting a reasonable amount of investment from the top into this platform, believes Shivananda. “CIOs can justify an investment in GRC by quantifying what a company stands to lose by not having a platform in place,” he says. “If you could stop potential havoc from happening, how valuable would that be to the enterprise?”
Organisations everywhere are now finding themselves hard-pressed to meet a range of regulations, put in place by regulatory bodies such as ISO, ISR and NESA. From a regional perspective, The National Electronic Security Authority (NESA) is a government body tasked with protecting the UAE’s Critical Information Infrastructure (CII) and improving national cybersecurity. To achieve this, NESA has produced a set of standards and guidance for government entities in critical sectors. Compliance with these standards is mandatory for regulators, CII operators, and other relevant participating stakeholders who support critical national services.
As operational, technological and legal demands shift across business units, compliance mandates such as NESA dictate the ways in which companies must stay in line. “Organisations globally are forced to deal with compliance mandates,” explains Shivananda. “It is not an option to ignore them without having a negative impact on the business. I rarely come across an organisation today that doesn’t understand the need to fulfill these mandates; the challenge is how.”
Nearly every GRC leader says their greatest concern is risk they cannot see. In order to combat this, GRC providers often carry out an IT assurance audit before the implementation, to assess the strength of an organisation from a technology perspective based on global practices and standards. This establishes whether or not a business is actually ready to implement such a solution.
“Once you enter the design phase, be wary of any technology platform vendor that asks upfront for all requirements you think you may ever need,” warns Shivananda. “It’s an impossible task. First, you don’t know what you don’t know, and second, the business environment isn’t static. Things are constantly changing. If your requirements are hard-wired into the platform, you are stuck with a rigid system that can’t adapt.”
It is for this reason that CIOs are advised to opt for a framework that has its roots in GRC, not a platform created for another purpose and modified to accommodate GRC. “The platform must be able to adapt to change without the need to recode or spend hours reworking the design,” says Shivananda.
Any enterprise-wide GRC management system must deliver a single strategy across the whole business, which integrates efficiently with the organisation’s goals. This involves frameworks going beyond more than aligning with compliance mandates, and should instead serve as a platform for enhancing a business’s overall efficiency and accountability.
The benefits of this approach will, of course, vary depending on the organisation. But the overarching positives are likely to include the reduction of costs in maintaining various siloed applications and providing IT support resources, and should also encourage greater communication between employees across the business.