To this day I haven’t forgotten the story about the college kid who scored a 100% on his final Psychology examination by answering the only question on the paper – “Why?” simply with the words “Why not!” Now I can’t tell you for sure whether this is fact, or just an impressively renowned urban legend that has gone down in the annals of university ‘history’. But fiction or otherwise, one thing’s for sure, sometimes things make so much sense that it’s hard to argue any other way. And in my opinion, one of those very such things happens to be IT GRC.
Now there’s been a lot of airtime given to IT GRC in the last few years. There are those who think it’s nothing but a bunch of hot air, others who say it’s only for organizations with big budgets, and some who just want things to stay as they are. Then, though, there are the believers… who, knowing what they do now, wouldn't have it any other way.
Today, synergy and integration are key, and the silo mentality of yesterday is all but fading into oblivion. Have you heard the saying “the right hand doesn’t know what the left hand is doing”? Well, no one wants to hear that in the age of Information and Technology. Enterprises today are faced with an enormity of a challenge in having to continually and sustainably create value, against a lingering back-drop of the scandals and financial crises that scarred the first decade of the new millennium. Every organization that I speak to today wants more accountability and assurance when it comes to performance and conformance in the pursuit of strategic objectives. IT GRC can give them just that. Aligning and integrating disparate IT Governance, Risk and Compliance activities into a unified whole serves to bring essential people and processes together, fostering collaboration and communication, providing greater transparency to stakeholders, instilling a culture of knowledge sharing into the organization and delivering a platform for more effective and efficient ‘risk-aware’ enterprise decision making. But who would want those benefits, right?
So what’s the alternative? Well let’s look at an all too common scenario:
There’s a change to a regulation which is mission critical to the organization. The compliance team picks it up and sets about determining the impact this has on the compliance status of the organization. They figure out they need to implement a new internal control to satisfy the new regulatory requirement, and their ETA for its implementation is 6 weeks. The compliance team’s generic KPI is to ensure compliance with regulations so they add it to their roadmap, and continue on with business as usual.
Three days later the enterprise is hit with a $10m fine…. One could say that the compliance processes failed to inform the risk management processes which failed to inform the governance processes. Or that Governance wasn’t monitoring risk which wasn’t monitoring compliance. Whichever way you cut it, the net result is the same. The organization continued to trade in a non-compliant state completely oblivious to the associated risk, and was ‘caught’ by a random audit from the regulatory body. And it wasn’t just one silo that took the hit, the whole business almost collapsed! That’s more than just a few red faces.
I could paint a picture from a bucket full of scenarios, but I don’t think it’s necessary. The case for IT GRC speaks for itself. Why on earth wouldn’t the contemporary enterprise want to implement and inculcate an integrated Governance, Risk and Compliance structure within their IT organization? Ask any CIO or executive what their priorities are in 2015, and without doubt from their list they’ll tell you “managing and optimizing risk”, “internal and external compliance” and “creating value for the enterprise” are right up there. Last time I checked, the primary Governance objective was value creation! Why would any organization contemplating introducing IT Governance, Risk Management and Compliance even consider segregating these naturally interfacing disciplines – what would be the benefit in that? None. And I can tell you, the myth that an integrated IT GRC solution is more costly, is exactly that – a fallacy. Surely tighter, cohesive management of compliance and risk, will lead to improved governance, and collectively this will help the organization to conform and perform better?
IT Governance within the organization is a subset of Enterprise Governance, and as such has a critical role to play in both supporting the Governance objectives of the organization, and delivering those of the IT function. The latter specifically includes reducing risk, optimizing cost and maximizing value and return on investment from Information Technology. One of the greatest sources of IT risk is non-compliance, with punitive and even criminal liability. So when organizations look at ways to assure and account for performance, conformance and ultimately the creation of sustainable value, each and every time the words Governance, Risk and Compliance enter the equation. And not in isolation either, as a unified and integrated whole – IT GRC. Why would you want it any other way? This may not be college, but the next time somebody asks you “Why IT GRC”, the only answer you should be giving is – Why Not!