By Stephen Walker, Aberdeen Group
Organizations have been aggressively discussing “aligning IT to business” as a key strategy since the inception of the Information Technology (IT) department. The frequency and urgency of these discussions has increased significantly as heightened competition across a globalized economy has shifted the speed of business into overdrive. In addition to achieving and consistently providing documentary evidence of compliance with a growing number of regulatory mandates while attempting to manage the increasing scope and complexity of risks (from outside attack to insider abuse and everything in-between), IT departments are under greater pressure than ever to respond to business demands in tighter time-frames.
Recent research from Aberdeen Group's July 2008 benchmark report, Is Your GRC Strategy Intelligent? Analytics for Accurate Real-Time Visibility and Decision Making, reveals that alongside new and changing regulatory mandates (37%) and the need to better manage and mitigate business and operational risks (48%), one of the top three macro-economic pressures driving investment in Governance, Risk management, and Compliance (GRC) technologies and services is the need to improve operational efficiencies in IT and business activities (Figure 1).
Source: Aberdeen Group, December, 2008
Additionally, July's GRC report revealed an interesting correlation between the top five strategic actions companies are taking to improve their risk and compliance performance; all five are dependent upon efficient and effective communication and program alignment between IT and various business units. This is especially true with one of the top two strategies, the identification and protection of sensitive information (33%).
The IT-GRC market, one of the fastest growing and heavily discussed segments of the overall GRC space, is still relatively in its infancy in terms of both enterprise-wide adoption of IT-GRC technologies and services and, most importantly, end-user knowledge on efficient program implementation, management, and its direct link to achieving the business-driving performance improvements and Return on Investment (ROI) that flow from a comprehensively derived, effective approach. The importance of understanding and proactively addressing these issues has increased exponentially given the tumultuous economic events of recent months.
In the wake of the subprime mortgage crisis, ensuing instability in global financial markets, and the subsequent uncertain economic landscape, substantial scrutiny has been placed on two issues that are both heavily dependent on IT-centric functions and critical to a company's financial future:
- the adequacy and sufficiency of compliance processes, policies, and controls; and
- the effectiveness of information security and risk management procedures.
Especially worrisome for the countless companies, particularly those in multi-regulatory environments*, that continue to employ reactive, fragmented, and "check-box" approaches to achieving compliance objectives and guidelines, significant pressure to immediately and dramatically improve risk and compliance performance is being applied from the Board of Directors on down
The potential benefits of an effectively implemented and managed IT-GRC solution is the opportunity to attain competitive differentiation and success through improved, revenue-growth-focused alignment of IT risk and compliance activities and business unit goals and strategies, specifically:
- continuous compliance with internal and external requirements
- expansion and improvement of risk management capabilities
- significant cost savings through sustainable operational and business efficiencies
- re-direction of internal resources towards the advancement of core business activities
However, to realize sustainable, cost-reducing efficiencies through the efficient and effective alignment of IT risk and compliance processes and controls to business demands and goals, companies must blend a combination of strategic actions, targeted capabilities, and focused solutions to:
- Establish and enforce consistent policies and procedures for risk and compliance activities
- Identify and protect sensitive information
- Converge risk and compliance activities for improved efficiency and accountability
- Incorporate analytics and tools to monitor Key Performance Indicators (KPIs) on achievement of enterprise-wide risk and compliance objectives
- Map risk and compliance processes and technologies back to overall business goals