Remaining regulatory compliant and keeping data secure has become increasingly difficult in the digital age, and companies have started taking a targeted approach: Eighty-two percent of respondents to our annual IT Priorities Survey reported that in 2014 their organization will already have, or is planning to implement, a formal governance, risk and compliance (GRC) program.
Increased regulations, expanded IT security threats and a rapidly growing data footprint force a proactive approach to maintaining GRC, said Derek Gascon, executive director of the Compliance, Governance and Oversight Council (CGOC).
A failure in finance can impact IT, and a failure in IT can impact finance. You can't make corporate level decisions, board level decisions without understanding that relationship.
Renee Murphy, senior analyst, Forrester Research Inc.
"There is so much new data they have to deal with," Gascon said. "Organizations are realizing the amount of information they are generating has to be managed in a way that they can more easily produce it when necessary, and also be able to protect it throughout the lifecycle."
But with compliance already broadly deployed, new programs may be on the decline: Twenty-four percent of respondents said their organizations would implement a compliance program in 2014, down from 36% of the respondents in last year's survey.
Many companies balance numerous GRC projects, but this often creates disconnects among interdepartmental efforts, said Michael Rasmussen, chief GRC pundit at GRC 20/20 Research LLC in Waterford, Wis. Large organizations might have multiple GRC platforms for certain departments, but still struggle with spreadsheets, documents and emails because other parts of the company still have paper-intensive processes.
While it makes sense that more than 80% of respondents say they have a GRC program in place, Rasmussen guesses that a majority of these are department-based.
"If the question was do you have an enterprise GRC program that integrates the views of enterprise risk, audit, corporate compliance, legal, IT security, health and safety, then you will find the percentage to be significantly less," Rasmussen said.
The inter-operational approach to GRC programs is hugely beneficial in that many risks -- especially those that are regulatory-related -- affect multiple departments. A companywide approach to GRC can save multiple resources if the organization's risk management efforts are not completely independent from one another.
"A failure in finance can impact IT, and a failure in IT can impact finance," said Renee Murphy, a senior analyst at Cambridge, Mass.-based Forrester Research Inc. "You can't make corporate-level decisions, board-level decisions without understanding that relationship."
This enterprisewide approach to GRC programs requires a similar strategy for information management, the CGOC's Gascon said, and forces organizations to take a more holistic view of the data they generate and how they govern it.
It's not just the data that falls under governance and compliance mandates, either: Everyday business data should be managed throughout its lifecycle as well, Gascon said. While not specifically targeting GRC, encouraging this type of data management culture ultimately benefits compliance programs, he added.
"It creates a culture within the organization that everybody needs to take care of the information they are working with and follow the guidelines that are out there," Gascon said.
The business benefits of GRC
Implementing a companywide GRC program is definitely not easy, and is potentially costly to a business' bottom line and reputation. Take, for example, the recent Target breach as proof of how customer loyalty -- and profits -- can drop dramatically due to a risk-related oversight, said Forrester's Murphy. "If you are really forward-thinking and understand that GRC is a net positive for your organization, l think you are ahead of the game," she said.
More on GRC strategy
As demand for GRC skills rise, compliance pros see pay increase
Three steps to maintain GRC during cloud deployment
One big obstacle to GRC program implementation is due to the negative connotations still associated with compliance mandates. Employees often immediately think of audits or litigation when they hear GRC, the CGOC's Gascon said.
But as data and how it is managed become more of a priority, companies can realize the business benefits of formal compliance and GRC programs beyond their original purpose.
"People should see the real value that comes from putting that kind of rigor in place and following those processes," Gascon said. "Going forward, we're starting to see organizations realize governance programs as actually a start to taking advantage of the data that they have."
This was first published in January 2014