tiero - Fotolia

Data governance due diligence key to GRC automation success

Information governance expert Jeffrey Ritter discusses how companies can successfully align GRC automation with existing data governance processes.

As compliance regulations continue to grow in number and complexity, companies have started to turn to automating governance, risk and compliance (GRC) processes to save resources. Automated GRC embeds specific data management rules in existing company processes to help ensure compliance and security. The automated processes must closely align with the company's existing data management objectives, however, and can be difficult to implement without everyone -- from the legal department to risk officers -- on board with the plan.

In this Q&A, attorney and information governance expert Jeffrey Ritter discusses the GRC automation movement, and why its success will depend on how well companies prepare for implementation.

Is it difficult to find or develop GRC automation software because compliance needs are so unique for each organization?

Jeffrey Ritter: Generally, GRC software is merely documenting the occurrence of events according to defined processes. Within industries, the requirements for those processes are established by regulations. To that extent, the compliance needs are comparable. However, particularly in the United States, the flexibility afforded by many regulations has allowed companies to develop solutions that are remarkably non-uniform. In other words, their compliance needs are not unique, but their internal solutions are incredibly diverse and inconsistent in their approach. GRC automation first requires a company to author its process rules so that they produce data-specific measurements and documentation. Many companies have resisted developing such rigid rules -- often on the advice of legal counsel -- in order to preserve flexibility should an investigation be launched.

Corporations [that] have aligned their business processes to published standards, particularly those for information security and information governance, are best positioned to take advantage of GRC automation solutions.

How can compliance and IT managers ensure GRC automation processes integrate smoothly with existing company processes? Who needs to be involved in that integration?

Ritter: The 21st century is witnessing a remarkable transformation in the corporate board's view of compliance. Previously, compliance was an obligation to be avoided at any possible cost to net profits. The tide has shifted, and compliance to defined processes is a now a critical requirement for corporations to be profitable. Six Sigma and other measurement-based management strategies emphasize consistency and documentation. As a result, GRC automation is becoming equivalent to effective corporate governance.

The bottom line is that to succeed with GRC automation, compliance and IT managers should never mention the word 'compliance.'
Jeffrey Ritterattorney and information governance expert

Compliance and IT managers require senior management buy-in in order to be successful. To achieve that buy-in and acquire the involvement of all of the necessary stakeholders, compliance and IT managers have to demonstrate that GRC automation not only reduces operating costs, but increases net profits. Once that business case is made, senior management's support will be powerful.

The bottom line is that to succeed with GRC automation, compliance and IT managers should never mention the word "compliance." Instead, they should emphasize efficiency, reduced rate of failures and similar important business objectives that GRC automation can accomplish.

If a company chooses a vendor for GRC automation, is a company more at risk when its compliance data resides in a public or private cloud setting?

Ritter: That is a hard question to answer. Any GRC automation solution creates an authoritative, difficult-to-erase record of the company's conduct. In other words, it is creating digital evidence of the truth. Whether that information is stored internally or in the cloud is less important than the overall security and integrity with which the corporation protects all of its digital assets. If the company does not have effective security deployed across cloud-based relationships, their data will be at risk. The key is to design effective security around any data asset so that the migration or storage of that data to a public or private cloud does not create [a] security risk.

Jeffrey Ritter, external lecturer at the University of Oxford and Johns Hopkins University Whiting School of EngineeringJeffrey Ritter

Can GRC automation software adequately respond to the governance demands of big data, and even ultimately make compliance processes easier?

Ritter: Companies that use GRC automation software, by necessity, are documenting and executing their governance rules against information consistently and efficiently. The stored data inherently has greater value, and helps improve the efficiency and profitability of a company. Those who resist GRC automation are also limiting their potential to benefit from big data analytics at the lowest possible cost.

If GRC processes are automated, what stipulations must be included in corporate governance policies to ensure auditability of the compliance data?

Ritter: The corporate governance policies and GRC processes must be connected by synchronized rules. It is no longer acceptable for lawyers to build corporate policies that include ambiguities that conflict with the precision on which GRC and other competitive uses of IT now require. Corporate governance policies must be crafted to anticipate that compliance with their requirements will be measured and capable of audit in quantitative terms.

Relying upon employees and contractors to "do the right thing" also will not accomplish the level of compliance and governance that the market is demanding from companies. Therefore, the reforms require a fundamental rethinking of how the policies will promote measured compliance and governance across a corporation and its connected ecosystems.

Let us know what you think about the data currency story. Email Ben Cole, site editor. For more regulatory compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

Next Steps

Aflac's CISO discusses the process behind the insurance giant's GRC automation rollout

Learn how automated compliance systems benefit mobile device management

Build an effective framework for data governance 

Dig Deeper on Automating compliance processes