The report, authored by Stephen Walker and Ralph Rodriguez discusses the rise of government mandated compliance regulations and organization’s need to safeguard sensitive data is forcing organizations to reconsider how their data is stored, accessed, secured, and managed.

The article suggests that many organizations are implementing GRC programs due to two main reasons: 

  • Outside regulatory bodies are requiring them to initiate the programs
  • Awareness of the potentially enormous monetary and/or reputation risks of not having such a program in place

Implementing a Successful GRC Initiative

There are numerous benefits to of a successful GRC initiative; however implementing a successful GRC initiative can be complex and expensive.  According to a poll conducted by the Aberdeen Group in 2007, the top anticipated problem in implementing GRC solutions was ineffective communication or policies and procedures.  These problems are normally rooted in the organizational structure of an organization.  Particularly, the organizational structures in large companies often group departments in large silos that often do not communicate effectively with each other.  The authors claim that this can cloud the enterprise-spanning visibility needed for effective risk mitigation.  Therefore, many organizations have adopted risk convergence polices and procedures.  An organization should adopt a system for managing risks that develops an enterprise wide risk picture.

Regulatory Compliance

According to a survey done by the Aberdeen Group in 2007 government regulation is the top factor driving interest in security and risk management initiatives.  Other main factors were the need to protect the organization and its brand, protect sensitive business information, and industry regulations.

The authors suggest that it is imperative that there should be top strategic action taken by organizations to drive investment in the development and enforcement of consistent policies and procedures related to governance and risk. And without a holistic and integrated GRC framework, organizations will have limited cohesion and little success when implementing the enterprise-wide changes necessary to address mandated regulations and adequately mange growing operational risks.  They continue to infer that there is a direct relationship with the amount of time and effort an organization puts into its GRC program, and the effectiveness of their program.

Information Technology

In today’s environment a major areas of GRC involves intertwining IT security and risk management.  Therefore, an organization should have a cross-functional team taking ownership of the GRC initiative.  The authors suggest that this will address the issue of a common disconnect that exists between the IT and business functions within an organization.

Risk Management

The first step of GRC and risk management in general is to define what the organizations loss events are.  Next, an organization can start to determine the appropriate processes to put in place to ensure that the loss event doesn’t occur.  The authors claim, “Compliance concerns are forcing organizations to both rethink the priority that risk management solutions receive, and re-invest in GRC solutions that offer comprehensive risk management coverage.”

According to a survey conducted by Aberdeen in 2007, the top strategic action for managing risk and preventing information loss was identifying and protecting sensitive data. From the enterprise’s perspective protecting sensitive data is a necessity. And as the volume of sensitive data rises for organizations a properly implemented GRC initiative becomes imperative.

Solution Selection Strategies

  • Thoroughly evaluate the forward-thinking business goals your organization is focusing on.
  • Develop a clear picture of the current problems facing your organization and potential stumbling blocks in the future.
  • Evaluate the current state of your organizations internal capabilities and structure.
  • Evaluate potential providers on their ability to alleviate current problems.
  • Map the capabilities of the potential provider back to the business goals your organization will be focusing on in the future.
  • Determine whether the potential provider offers integration and/or convergence as part of their solution.

Click below to purchase full article.

Link: Stephen Walker and Ralph Rodriguez, GRC Strategic Agenda: The Value Proposition of Governance, Risk, and Compliance, Aberdeen Group, February 2008.

Subscribe to ERM Insights

The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.

ERM Enterprise Risk Management Initiative 2008-02-01