As regulatory mandates continue to proliferate for organizations, compliance professionals are turning to their IT departments to automate processes required to stay on the right side of regulators. In turn, IT departments are steering compliance professionals toward strategic tool sets, such as GRC platforms, to avoid human error and decrease audit burdens.
Governance, risk and compliance (GRC) platforms are designed to integrate with a company's everyday business processes to assist risk and regulatory management across the organization. The goal of these platforms is to establish a single framework that is integrated into business strategy to quickly identify data-related threats or potential compliance violations.
Not all platforms are created equal, however, and a GRC program is only as good as how well teams understand the environment. As a result, data classification tools are a critical component of GRC platforms and other tools designed to assist GRC management, said Kennet Westby, president and CEO of Dallas-based independent IT and audit firm Coalfire Systems Inc.
"The biggest areas where technology plays a huge part is inventorying and classifying the environment, and leveraging databases and visualization for the organization so compliance, audit and security teams understand what the environment looks like," Westby said.
GRC platforms and related tools can also help monitor third-party environments operated by cloud providers.
"It's not as easy running discovery scans in a cloud environment because it's not necessarily your environment to control," Westby said. When choosing a GRC platform or management tool, it's important to find out if it's engineered for third-party enablement, and if it has the ability to support mobility and other technologies that create big risks for organizations, he added.
Some GRC platforms include features that automate compliance-related data management processes to improve audit readiness and GRC monitoring, according to Gary Alterson, senior director of risk and advisory services at Chicago-based security and IT risk management firm Neohapsis. He recommended companies map GRC platforms to their policies and use automation features to validate compliance controls, as well as ensure the tool offers proper enforcement mechanisms.
Automated GRC processing tools also collect metrics to gauge whether the organization is compliant with clearly defined data management rules, he added.
"Many times, IT organizations haven't built fully automated processes or have allowed configurations and processes to drift over time," he said. "Those tools allow an organization to either apply or enforce settings, or at a minimum, identify when settings are out of sync with expectations and rectify with internal processes."
Real-time risk management
Wrangling data is just one of the facets to achieving compliance, and it's what Paramus, N.J.-based Hudson City Savings Bank struggled with when the Dodd-Frank Act passed in 2010. As Hudson City Savings grew to a $65 billion dollar bank, vice president Frank Santora knew a GRC system was necessary from his experience at larger organizations.
"I'm a risk guy, so the most important thing for me was understanding the real-time risk profile," Santora said. That required technology to track changes in the organization's risk profile and related threat management processes for strategic decision making, he said.
Building a GRC library was critical to fostering compliance. The bank compiled all processes, policies, regulations, controls, vendors and applications, then linked data elements together to allow for better GRC reporting, Santora said.
Because regulations are constantly changing, lists of applicable regulations are input into Hudson City Savings Bank's GRC tool and linked to processes and policies. The bank can then quickly identify policies impacted by specific regulations and send out messages to policy and process owners to inform them which actions to take, he said.
The GRC platform also helps Hudson City Savings Bank share risk, audit and compliance information between departments and with third-party auditors. "Although we need to maintain an independent view of the organization, we also need to share information because our assessments shouldn't be materially different," Santora said. Collaboration shouldn't compromise that independence, and communication can help avoid overlapping testing scenarios, he said.
Even better, the bank is able to centralize issue tracking so any problem identified by an audit or self-assessment is input into the centralized GRC platform. This assures the problem is addressed quickly by the operational risk group.
"Regulators love that the tools are not missing anything and [are gathering information] in a timely manner," Santora said. "The technology makes sure we can do that, and with reporting, we can demonstrate it."
About the author:
Christine Parizo is a freelance writer specializing in business and technology. She focuses on feature articles for a variety of technology- and business-focused publications, as well as case studies and white papers for business-to-business technology companies. Prior to launching her freelance career, Parizo was an assistant news editor for SearchCRM.
Classification tools key to 'dark data' risk management
Ensure IT investments are regulatory compliant
Companies turn to hybrid strategies for cloud GRC